sign in sign up
<<
Home , Equation Group, GreatFire

Internet Infrastructure Vol.27 Review May 2015

Infrastructure Security Increasingly Malicious PUAs

Messaging Technology Anti-Spam Measure Technology and DMARC Trends

Web Traffic Report Report on Access Log Analysis Results for Streaming Delivery of the 2014 Summer Koshien 2 Table of Contents I n 1. 2.3.4 2.3.3 2.3.1 2.3 2.2.2 Technology: Management ID 1.4.2 1.3.3 1.3.2 1.3.1 1.3 1.2 1.1 Introduction Executive Summary 3.5 Conclusion 3.4 3.3.2 3.3.1 3.3 3.2 3.1 3. 2.4 Conclusion 2.3.5 2.3.2 2.2.1 2.2 2.1 Introduction 2. 1.5 Conclusion 1.4.3 1.4.1 1.4 1.3.4 nte To download current and past issues of the Internet Infrastructure Review in PDF format, please visit the IIJ website at at website IIJ the visit please format, PDF in Review http://www.iij.ad.jp/en/company/development/iir/. Infrastructure Internet the of issues past and current To download

Infrastructure Security Web Traffic Report Messaging Technology Domain Reputation Use ofDMARCbyEmailRecipients The DMARCRFC Higher RisksDespiteLower Volumes From aConvenience andSecurity Perspective SQL Injection AttacksSQL Activities DDoS Attacks Differences in Viewing Length Viewing Time in Differences Email Ecosystems Problems withDMARCandReporting Spam Ratios DeclineFurther inFY2014 HDD Evaluating theIOCsofMalware That Reprograms Increasingly MaliciousPUAs Website Alterations Trends inEmail Technologies Incident Survey Incident Summary Access Numbersby Device Comparison ofClientNumbersand Differences in Viewing Activities by Device Changes in Access Numbersby Day and Hour of the2014 SummerKoshien Overview ofStreaming Delivery Spam Trends Focused Research r n e t I n

— — — — —

f —————————————————————— —————————————————————— —————————————————————— —————————————————————— —————————————————————— — — — r — ————————————————————— ————————————————————— —————————————————————— ————————————————————— — —

a ———————————————————— ———————————————————— — — — ——————————————————— ——————————————————— ——————————————————— — s

— ——————————————————— —————————————————— —————————————————— ——————————————————— — t ————————————————— r u — ——————————————— —

— — c — —————————————— ——————————————— —————————————— ——————————————

t —

u ————————————

— — — ——————————— ——————————— ——————————— r — — —————————— —————————— e — ————————— Rev — —————

iew — ———

— — 34 28

32 13 36 18 22 17 28 25 28 16 29 31 37 18 28 37 38 30 33 27 39 34 37 29 29 30 11 11 4 3 4 4 V o l .27 May 2015

that our customers can take full advantage of as infrastructure for their corporate activities. corporate their for infrastructure as of advantage full take can customers our that solutions of avariety providing keep We will Internet. the of stability the maintaining while basis adaily on services our developing and improving towards strive to continues IIJ these, as such activities Through through of this the results analysis. revealed were that type device and scale access to due trends access in differences examine We also requests. billion 1.9 approximately of total a and Gbps, of 108 traffic apeak in resulted 2014, which August in held Stadium Koshien at Championship Baseball School High National the for video of delivery streaming live the for servers delivery all of logs the analyze we section, Report” Traffic “Web the In feedback. and reputation domain including ecosystem, email the at look we addition, In it. using for environment an of creation the discuss 2015, and March in authored was RFC an which for technology DMARC the examine we technologies, email of discussion our In 2008). Vol.1 IIR from (June trends long-term at looking also 2015, while 29, 31, March 2014, and March between weeks 52 the for trends spam of analysis our on report we section, Technology” “Messaging the In volume. previous the from technology management ID on report our continue and firmware, HDD reprograms that malware examine we addition, In used. techniques the of discussion as well as Programs) Unwanted (Potentially PUA for results analysis at a look including period, this for research focused our present We also period. entire the for analyses and gathering statistics our of results the on 31, report 2015, and March 1to January from months three the during observed incidents major of summary chronological a month-by-month give we section, Security” “Infrastructure the In information. technical important as well as development technological of summaries present regularly We also securely. and safely them use to continue to customers our enable and infrastructure, cloud and Internet the support to out carries provider, service a as IIJ, that activities analysis and surveys ongoing various the of results the discusses report This perspective. atraffic from usage Internet of state the in upheaval amajor be to likely is there months coming year. the In this of half latter the towards boost a major see to expected is market streaming video online Internet-based the so customers, for vie to services their in invest will market Japanese the entered already have that TV Hikari and acTVila as such operators domestic and Hulu including companies that thought is It fall. this Japan in service a launch will it that announced has Netflix service streaming video U.S. major Meanwhile, volumes. traffic overall of growth the in factor driving be a will traffic mobile of growth the that likely is it future the In rate. increase overall the than higher is which 45.5%, by increased it Gbps, 758 at small comparatively still was traffic download user mobile of volume the while Also, progressing. is content larger-scale consuming users towards shift the means which increase, slight a only showing period, this during flat almost remained subscribers broadband of number year. The previous the month same the to compared 37.5% increase is a This Tbps. 3.6 be to estimated was subscribers broadband of traffic download overall 2014 the November of 2015, as 3, April on Communications and Affairs Internal of Ministry the by published was which Japan,” in Traffic Internet of Calculation Provisional and “Aggregation titled areport to According Executive Summary Author: founded in April 2012, he also became president and CEO of that organization. that of CEO and was president Inc. became also he 2012, Stratosphere April in When CEO. and founded president its became Mr. Asaba 2008, June in IIJ founded the was When Inc. 2004. in Institute development Innovation technical of charge in president ISPs. vice foreign and executive and domestic 1999, in with director IIJ named was He interconnectivity and control, route construction, year inaugural backbone in its in IIJ involved joined Mr. Asaba becoming 1992, Inc. of Stratosphere CEO, and President Inc. Institute Innovation IIJ CEO, and President Toshiya Asaba

3 Executive Summary 4 Infrastructure Security *1 firmware. HDD reprograms that malware for IOCs the at look We also security. its bolstering for initiatives as well as technology, management ID for cases usage actual cover we report last our from on following and PUAs, malicious increasingly discuss we report, this In Increasingly Malicious PUAs 1. Figure 1:  1: Figure period* this during handled incidents of distribution the shows 1 31, Figure 2015. March 1and January between occurred that incidents to response and handling IIJ the discuss we Here, 1.2 Internet. the on occur to continue incidents security-related many that show examples These legitimate. as recognized be to websites fraudulent or party, athird by intercepted be to communications browser Web encrypted allow potentially could This PCs. on pre-installed software in discovered also was issue An States. United the in insurer ahealth at occurred that incident an in leaked have may people million 80 to up of information personal the that out pointed been has It access. unauthorized to due leaks information of number alarge also were There defacements. website and hijackings account SNS including attacks of arash was there and groups, other and by out carried again once were attacks -based of anumber period 31, this In 2015. March 1through January from time of period the covers volume This relationships. cooperative has IIJ which with organizations and companies from obtained and information services, our through acquired information incidents, of observations from information Internet, the of operation stable the to related itself IIJ by obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 History 1.3% Other 30.4% Social Situation0.9% Political and

Infrastructure Security Infrastructure Introduction Other: Security-related information, and incidents not directly associated with security problems, including highly concentrated traffic associated with a with associated traffic concentrated highly including problems, security with notable event. associated directly not incidents and information, Security-related Other: against attacks DDoS malware; other and worms network of websites. propagation wide as certain such responses related and incidents Unexpected a Incidents: with Security connection in attacks to related etc., response, in taken measures fact. historical incidents, of past detection warning/alarms, dates; significant Historically History: disputes. international international in as such originating events attacks and international and VIPs by attended circumstances foreign and conferences domestic to related incidents to Responses Situations: Social and Political in or Internet the over used commonly software or equipment server user equipment, environments. network with other. or associated incidents security vulnerabilities to history, Responses situations, social and Vulnerabilities: political vulnerabilities, as categorized are report this in discussed Incidents

Incident Summary Incident March 31, 2015) March 1to (January Category by Ratio Incident Security Incidents38.8% Vulnerabilities 28.6% 1 . multiple Saudi Arabian banks in protest against the Saudi Saudi the against protest in banks Arabian Saudi multiple on made were attacks DDoS February, In January. in Island Mindanao on group armed an and Police between place took that a firefight against protest in defaced were websites government of a number Philippines the in Similarly, last. before year the suicide committed who activist an of memory in defaced were websites (MIT) Technology of Institute Massachusetts of anumber January, In causes. and situations of avariety from stemming countries of number alarge in sites corporate and government-related at occurred leaks information and attacks DDoS period. this during continued Anonymous as such hacktivists by Attacks Hacktivists Other and Anonymous of Activities n The *10 *9 *9 *8 *7 *7 *6 *6 *5 *5 *4 *3 was fixed in OpenSSL*in fixed was vulnerability This 1990s. the in restrictions export encryption U.S. to due used were which less, or 512 of weak bits keys RSA accept that implementations exploiting attacks MITM through decrypted be to information encrypted allow that could implementations SSL/TLS in avulnerability also was there that announced was It etc. distributions, Linux in included (glibc) Library GNU C the in fixed was overflow abuffer through applications of termination abnormal the cause could that vulnerability A synchronization. time for used program ntpd the in fixed were packets specially-crafted of use the through termination abnormal cause or rules ACL of bypass the allow could that vulnerabilities of number A fixed. was anchors trust DNSSEC of management the with issue an to due conditions specific under servers on outages service or operations abnormal cause could that software DNS BIND9 the in vulnerability A vulnerabilities. many fixing server, database Oracle the including products, Oracle of anumber for released was update aquarterly applications, server Regarding released. were patches before wild the in exploited were vulnerabilities these of Several vulnerabilities. many fixing SE, Java Oracle’s for provided was update Aquarterly Player. Flash Adobe Systems’ Adobe for attacks and memory leaks. memory and attacks DoS to lead could that vulnerabilities of number a fixing released, also was IOS Cisco’s for update semiannual A scheduled problem). rowhammer (the cells of density high the to due accessed are they when cells memory between interference by caused errors DRAM using privileges elevate to possible was it announced it when astir caused Zero Project ’s a WordPress plug-in vulnerability* plug-in a WordPress exploiting attacks by caused been have to thought are alterations website These March. in attention garnered also Japan, in just in Japan, in April the FBI also issued an alert in the * United the in alert an issued also FBI the April in Japan, in just was redirected to another website via DNS hijacking* DNS via website another to redirected was Airlines Malaysia of website the and hijacked, were Command Central U.S. the of and YouTubeaccounts Twitter official the which in incidents were there January in period, survey current the During organizations. associated or ISIL with affiliation claiming those by worldwide perpetrated hijackings account SNS as such attacks of arash been have there addition, In celebrities. and institutions government of accounts SNS the targeting incidents hijacking ongoing also were There world. the around websites government-related and government on continued such Anonymous as hacktivists by attacks Other Monde. Le newspaper French including companies affected with continued, also Army Electronic Syrian the with affiliation claiming attackers unknown by hijackings account SNS (OpSaudi). Family Royal Arabian *2 During this period, fixes were released for Microsoft’s Windows* Microsoft’s for released were fixes period, this During n Vulnerabilities and their Handling deleted. or down shut them having of intent the with companies, hosting their and ISIL to connected be to thought websites and VPN of lists of publishing the involving activities ongoing also are There (OpISIS). posts previous of deletion the and suspensions account as well as Facebook, and Twitter as such SNS on accounts ISIL-related of alist of publishing the in resulted that attacks and (OpCharlieHebdo), France in newspaper aweekly at ashooting to response in sites extremist Islamic on Anonymous by out

“OpenSSL Security Advisory [08 Jan 2015] DTLS segmentation fault in dtls1_get_record (CVE-2014-3571)” (://www.openssl.org/news/ (CVE-2014-3571)” secadv_20150108.txt). dtls1_get_record in fault segmentation DTLS 2015] Jan [08 Advisory Security “OpenSSL (https://technet.microsoft.com/library/ (3032359)” Explorer Internet for security/ms15-018). Update Security Cumulative -Critical: MS15-018 Bulletin Security “Microsoft “Microsoft Security Bulletin MS15-009 - Critical: Security Update for Internet Explorer (3034682)” (https://technet.microsoft.com/library/security/ms15-009). (3034682)” Explorer Internet for Update Security -Critical: MS15-009 Bulletin Security “Microsoft (https://technet.microsoft. (3000483)” Execution Code Remote Allow com/library/security/ms15-011). Could Policy Group in Vulnerability -Critical: MS15-011 Bulletin Security “Microsoft “Microsoft Security Bulletin MS15-010 - Critical: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)” (https:// (3036220)” Execution Code Remote Allow Could Driver technet.microsoft.com/library/security/ms15-010). Kernel-Mode Windows in Vulnerabilities -Critical: MS15-010 Bulletin Security “Microsoft “Microsoft Security Bulletin MS15-002 - Critical: Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)” (https:// (3020393)” Execution Code Remote Allow Could Service Telnet technet.microsoft.com/library/security/ms15-002). Windows in Vulnerability -Critical: MS15-002 Bulletin Security “Microsoft (https://www.ic3.gov/media/2015/ VULNERABILITIES” 150407-1.aspx). WORDPRESS EXPLOITING DEFACEMENTS “ISIL (IC3), Center Complaint Crime Internet The National Police Agency, “Alert regarding website defacements by those claiming affiliation with ‘Islamic State (ISIS)’” (http://www.npa.go.jp/cyberpolice/ (ISIS)’” State ‘Islamic with (in Japanese). detect/pdf/20150312.pdf) affiliation claiming those by defacements website regarding “Alert Agency, Police National statement-malaysia-airlines-website.html). Malaysia Airlines, “Media Statement on Malaysia Airlines’ Website” (http://www.malaysiaairlines.com/my/en/corporate-info/press-room/2015/media- 10 . 3 . Because attacks similar to these alteration incidents are occurring worldwide and not not and worldwide occurring are incidents alteration these to similar attacks . Because 2 . Alterations to websites, including those for a number of companies companies of a number for those including websites, to . Alterations 5 * 6 * 4 7 . In contrast, there were attacks thought to be carried carried be to thought attacks were there contrast, . In and Internet Explorer* 8 * 9 . Fixes were also released released also were . Fixes

5 Infrastructure Security 6 Infrastructure Security January Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O V V V V V V V V V V S S S “Oracle CriticalPatchUpdateAdvisory-January2015”(http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html). where theautoupdatefunctionwasenabled. 19 inJavaSE.Additionally,becausesupportfor7endedApril2015,measuresweretakentoautomaticallyupdateJava8cases 21st: OraclereleasedtheirquarterlyscheduledupdateforanumberofproductsincludingOracle,fixingtotal169vulnerabilities, (http://www.asus.com/jp/News/PNzPd7vkXtrKWXHR) (inJapanese). “Request toupdatefirmwarethatfixesacross-siterequestforgeryandOScommandinjectionvulnerabilityinwirelessLANrouterproducts discovered andfixed. cross-site requestforgeryorOScommandinjectionwhenamaliciouswebsiteisviewedwhileloggedintothemanagementscreenwas 23rd: AvulnerabilityinanumberofASUSTeKbrandwirelessLANroutersthatcouldallowunintendedactionstobecarriedoutthrough actionable-information/standards-and-tools-for-exchange-and-processing-of-actionable-information). “Standards andtoolsforexchangeprocessingofactionableinformation”(https://www.enisa.europa.eu/activities/cert/support/ 19th: ENISApublishedacollectionofinformationcoveringformats,standards,andtoolsforsharingthreatbetweenorganizations. “Microsoft SecurityBulletinSummaryforJanuary2015”(https://technet.microsoft.com/library/security/ms15-jan). MS15-002, aswellsevenimportantupdates. 14th: MicrosoftpublishedtheirSecurityBulletinSummaryforJanuary2015,andreleasedeightupdates,includingonecriticalupdate (https://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families). Whitehouse.gov, “FACTSHEET:SafeguardingAmericanConsumers&Families” requirement thatcompaniesnotifytheircustomersofinformationleakswithin30daysthembeingdiscovered. 12th: PresidentObamaannouncedanumberoflegislativeproposalsaimedatincreasingprotectionpersonalinformation,suchas (http://www.nisc.go.jp/press/pdf/reorganization.pdf) (inJapanese). “Regarding establishmentoftheNationalcenterIncidentreadinessandStrategyforCybersecurity” Center, asanorganizationtoservethegovernment’scommandpostforcybersecurity. They alsosetuptheNationalcenterofIncidentreadinessandStrategyforCybersecurity,arenamingInformationSecurity 9th: TheJapanesegovernmentestablishedaCyberSecurityStrategicHeadquartersbasedontheenactmentofBillSecurity. notification-service-ans-in-2015.aspx). “Evolving Microsoft’sAdvanceNotificationServicein2015”(http://blogs.technet.com/b/msrc/archive/2015/01/08/evolving-advance- posts andtheWeb. 9th: Microsoftannouncedtheywouldnolongergiveanoverviewoftheirscheduledmonthlysecurityupdateprograminadvanceviablog “DTLS segmentationfaultindtls1_get_record(CVE-2014-3571)”(https://www.openssl.org/news/secadv_20150108.txt). 9th: AnumberofvulnerabilitiesinOpenSSLthatcouldcauseserviceoutagesorallowarbitrarycodeexecutionwerediscoveredandfixed. (https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt). “Qualys SecurityAdvisoryCVE-2015-0235 GHOST:glibcgethostbynamebufferoverflow” overflow wasdiscoveredandfixed. 28th: Avulnerabilityintheglibclibrarythatcould causeserviceoutagesorallowremotearbitrarycodeexecutionthrough abuffer “APSB15-03: SecurityupdatesavailableforAdobeFlashPlayer”(https://helpx.adobe.com/security/products/flash-player/apsb15-0 3.html). 25th: AvulnerabilityinAdobeFlashPlayerthatcouldallowarbitrarycodeexecutionwas discoveredandfixed. (https://www.telecom-isac.jp/news/news20150120.html) (inJapanese). “Exercise foranticipatingacyberattackoncommunicationsinfrastructure[CAE2015: CyberAttackExercise]” communications infrastructure,with12organizationsincludingmemberISPsand critical infrastructureprovidersparticipating. 23rd: TheTelecomInformationSharingandAnalysisCenterJapanheldanexercisethat anticipatedalarge-scalecyberattackon (http://www.cyphort.com/huffingtonpost-serving-malware/). Details canbefoundinthefollowingCyphortblogpost.“HuffingtonPostServingMalwareviaAOLAd-Network” 1st: -on-the-rise). FBI, “RansomwareontheRiseFBIandPartnersWorkingtoCombatThisCyberThreat”(http://www.fbi.gov/news/stories/2015/january/ 21st: TheFBIissuedawarningduetoanincreaseinthedamagescausedbyransomwaresuchasCryptolockerandCryptWall. (http://www.tmu.ac.jp/news/topics/8448.html?d=assets/files/download/news/press_150119.pdf) (inJapanese). “Regarding externalaccesstoNAScontainingpersonalinformationatTokyoMetropolitanUniversity” potentially exposingthepersonalinformationstoredwithin. 19th: TokyoMetropolitanUniversityannouncedthattheNASusedonitscampushadbeenaccessiblefromoutsideviaFTPconnection, “Security updatesavailableforAdobeFlashPlayer”(http://helpx.adobe.com/security/products/flash-player/apsb15-01.html). 14th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowarbitrarycodeexecutionwerediscoveredandfixed. regarding-twitter-youtube-compromise). Command RegardingTwitter/YouTubeCompromise”(http://www.centcom.mil/en/news/articles/statement-from-u.s.-central-command- It waslaterconfirmedthattheinformationinreleasedfilespublicallyavailable.U.S.CentralCommand,“Statementfrom files saidtocontainclassifiedinformation. 13th: AnunknownpartyhijackedtheTwitter(@CENTCOM)andYouTubeaccountsofU.S.CentralCommand,releasedanumber “APSB15-02: SecurityupdatesavailableforAdobeFlashPlayer”(http://helpx.adobe.com/security/products/flash-player/apsb15-02 .html). 23rd: AvulnerabilityinAdobeFlashPlayerthatcouldallowarbitrarycodeexecutionwas discoveredandfixed. JVN, “JVN#27142693NP-BBRMvulnerableinUPnPfunctionality”(http://jvn.jp/en/jp/JVN27142693/). attacks, andinformationondisablingtheUPnPfunctioninsettingsasacountermeasure wasreleased. 26th: AvulnerabilitywasfoundinwiredLANrouterssold2004thatcouldleadtothem beingusedassteppingstonesinSSDPreflection Vulnerabilities A numberofincidentsoccurredinwhichmalwarewasdistributedviaanaddistributionsystemusedonnewssitesCanadaandtheU.S. S Security Incidents P Political andSocialSituation H History O Other Web access analysis service* analysis access Web a for URL the exploiting by distributed were ads which in incident an of reports were there March in example, For recently. protecting personal information while also enabling the creation of new industries and services through promoting the the promoting through services and industries new of creation the enabling also while information personal protecting at aimed is bill This cabinet. Japanese the by approved was Information Personal of Protection the on Act the abill amend to March, In discussed. was measures security cyber for policy basic and activities future of details the determining for strategy security cyber new meeting, this At February. in held was Headquarters Strategic Security Cyber the of meeting general first the Additionally, Cybersecurity. for Strategy and readiness Incident of center National the into also was reorganized Center Security Information National The Headquarters. Strategic Security Cyber the of establishment the and year, last passed was that Security Cyber on Act the of enforcement January the included initiatives agency Government n Government Agency Initiatives attached. malware had and sender the misrepresented which email, fraudulent through infected PCs from parties external to sent being content email and information client of traces were there announced was it incidents, these In publisher. anewspaper and company a trading including companies, of a number at leaks information associated and infections malware also were there period *14 prepared by the attacker were referenced, redirecting servers users DNS to fraudulent that so sites* rewritten were settings DNS router incidents, 2011. in these In countries other and Brazil in that occurred incidents include vulnerabilities exploited that routers home targeting attacks Past fixed. and discovered also were attacks* DrDoS in stone astepping as exploited be to arouter allow could that Vulnerabilities arbitrarily. settings change or authorization, without router the for privileges administrator gain to party athird allowed have could vulnerabilities these of Several fixed. and discovered were routers home in vulnerabilities of anumber period, survey current the During Targetingn Attacks Home Routers *13 *12 *11 timely manner, and they instead prompted customers to transfer domains to other operators* other to domains transfer to customers prompted instead they and manner, timely in a out carry to difficult being it to due service resume not would it announced affected company the incident, this In registration. domain of time the at registered information administrator the of leak the as such damages causing Japan, in registrar adomain at access unauthorized of incident an was there February in Furthermore, gTLD system. new the of suspension to leading compromised, again once was Numbers) and Names Assigned for Corporation (Internet ICANN March, In authorization. without accessed was database internal its after insurer health aU.S. from leaked employees, and customers present and past including people, million 80 to up on information which in incident an was there February, In data. photo internal of pieces 20,000 approximately of leak the in resulting compromised, was Japan in association sports aprofessional of website the January In occur. to continue also access unauthorized by caused leaks Information Access Unauthorized to Due Leaks n Information authorization. without points reward of exchange the as such damages, monetary in resulted these attacks cases some In sites. support ISP and sites, newspaper-related sites, program loyalty as such websites, of a variety targeted have Attacks period. survey current the in continued attempts These passwords. and IDs these of lists using presumably authorization without in log and passwords, and IDs user steal to attempts many been have there year last Since n Unauthorized Login Fraud Through Identity released. been has firmware updated whether checking and regularly settings confirming by appropriately devices these manage to necessary be will it means That future. the in occur to continue will way this in properly managed not are that routers home as such devices network targeting attacks that expected is It afterwards. time long a for unpatched remain may it fixed, is avulnerability when even Consequently, up. set are they once firmware the update and routers home for settings the check to neglect to tend users regularly, updated are which PCs, Unlike unlawfully. passwords and IDs authentication PPPoE obtain to exploited was 2012in fixed was that routers home in avulnerability that thought is it incident, this In 2014. in access unauthorized for used

Telework Communications Co., Ltd., “Apology and report regarding the leak of customer information” (http://www.ariqui.net/) (in Japanese). (in (http://www.ariqui.net/) information” customer of leak the regarding report and “Apology Ltd., Co., Communications Telework (http://aralabs.com/2015/03/25/ad-fraud-malware- hijacks-router-dns-injects-ads-via-google-analytics/). Analytics” Google Via Ads –Injects DNS Router Hijacks Malware “Ad-Fraud Technology, Labs Ara For more information, see the following IIJ-SECT blog post, “Home Routers Reference Fake DNS Server due to Unauthorized Configuration Changes” Changes” Configuration Unauthorized to due (in Japanese). Server DNS Fake (https://sect.iij.ad.jp/d/2012/06/148528.html) Reference Routers “Home post, blog IIJ-SECT for following the see information, more For more information. (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol23_EN.pdf) report this of Vol.23 in Countermeasures” and Attacks DrDoS ”1.4.2 See 13 . In Japan, there was an incident in which a provider was arrested for operating a server aproxy operating for arrested was aprovider which in incident an was there Japan, . In 12 . Similar attacks have also taken place more more place taken also have attacks . Similar 14 . During the current survey survey current the . During 11 11

7 Infrastructure Security 8 Infrastructure Security February Incidents *Dates areinJapanStandardTime [Legend] 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O V V V V V V S S S S S available inMicrosoft’sInternetExplorer11. 1st: AresearcheratasecuritycompanyintheU.K.announcedtherewasuniversalcross-sitescripting(XSS)vulnerabilitywithnofix (https://www.europol.europa.eu/content/botnet-taken-down-through-international-law-enforcement-cooperation). “Botnet takendownthroughinternational lawenforcementcooperation” of securityvendorssuchasMicrosoftand Symantec. 25th: Europol’sEuropeanCybercrimeCenter(EC3) announcedthattheRamnitbotnethadbeentakendowninajointoperationwith anumber (http://www.ipa.go.jp/about/press/20150220.html) (inJapanese). “Press Release[Alert]Bewareofunintendedinformationleaksregardingdataentered intocloudservices” through theuseofWebservices,suchasinformationthatusersenterintoatranslation servicewebsitebeingpublishedontheInternet. 20th: TheInformationTechnologyPromotionAgency,Japan(IPA)issuedanalertregarding problemswithunintendedinformationleaks (http://support.lenovo.com/us/en/product_security/superfish). See thefollowingLenovoannouncementformoreinformationaboutthisincident. “SuperFishVulnerability” falsified certificates. 20th: Anumberofissueswerediscoveredandfixedinsoftwarepre-installedonPCsthat couldallowMITMattacksorfakewebsiteswith (https://kb.isc.org/article/AA-01235). Internet SystemsConsortium,“CVE-2015-1349:AProblemwithTrustAnchorManagement CanCausenamedtoCrash” to anissuewiththeimplementationofexceptionhandlingforautoupdatetrustanchors. 19th: AvulnerabilitywasdiscoveredandfixedinBIND9.Thiscouldcauseabnormaloperationsorserviceoutagesonserversdue (http://news.microsoft.com/ja-jp/2015/02/18/150218-cybercrimecenter-japan/) (inJapanese). “‘Microsoft CybercrimeCenter-JapanSatellite’establishedtoreinforcecybersecurityinitiativesinJapan” indicated thatitintendedtoprovideinformationandtechnicalsupportcustomersincludinggovernmentagenciescompanies. 18th: MicrosoftannouncedithadestablishedaJapansatelliteofitsCybercrimeCenterforresearchingcybercrimecountermeasures,nd (https://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector-cybersecurity-inform). Whitehouse.gov, “FACTSHEET:ExecutiveOrderPromotingPrivateSectorCybersecurityInformationSharing” protect againstcyberspacethreatsandsystembreachescameintoeffect. 13th: IntheUnitedStates,anexecutiveordercallingforinformationsharingbetweengovernmentagenciesandprivate-sectorbusinessesto “1st GeneralMeeting(February10,2015)”(http://www.nisc.go.jp/conference/cs/index.html#cs01)(inJapanese). regarding establishingcybersecuritystrategiesforthecomprehensiveandeffectivepromotionofmeasures. 10th: TheJapanesegovernmentheldthe1stgeneralmeetingofCyberSecurityStrategicHeadquarters,wherediscussionswere “APSB15-04: SecurityupdatesavailableforAdobeFlashPlayer”(https://helpx.adobe.com/security/products/flash-player/apsb15-04.html). 6th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowarbitrarycodeexecutionwerediscoveredandfixed. (http://www.kb.cert.org/vuls/id/852879). US-CERT, “VulnerabilityNoteVU#852879NTPProjectNetworkTimeProtocoldaemon(ntpd)containsmultiplevulnerabilities(Updated)” cause informationleaksandabnormalterminationthroughtheuseofspecially-craftedpackets(CVE-2014-9297). 4th: Vulnerabilitiesinntpdwerediscoveredandfixed.ThesecouldallowthebypassofACLrulesviaIPaddressspoofing(CVE-2014-9298),or 2nd: “10 MajorSecurityThreatsfortheYear2015.”(https://www.ipa.go.jp/security/vuln/10threats2015.html)(inJapanese). 6th: IPApublished“10MajorSecurityThreatsfortheYear2015.” “Microsoft SecurityBulletinSummaryforFebruary2015”(https://technet.microsoft.com/library/security/ms15-feb). MS15-009, MS15-010,andMS15-011,aswellsiximportantupdates. 11th: MicrosoftpublishedtheirSecurityBulletinSummaryforFebruary2015,andreleasednineupdates,includingthreecriticalupdates Anthem, “HowtoAccess&SignUpForIdentityTheftRepairCreditMonitoringServices”(https://www.anthemfacts.com/). employees hadbeencompromised. 5th: U.S.healthinsurerAnthemannouncedadatabasecontaininginformationonaround80millioncurrentandformercustomers 4th: ThemansuspectedofbeingbehindtheRemoteControlVirusincidentin2013receivedaprisonsentenceeightyears. Vulnerabilities A large-scaleDoSattacktargetingaspecificdomaintookplaceovernumberofdays,causingoutagesonmultipleDNSserversinJapan. S Security Incidents P Political andSocialSituation H History O Other *21 *21 *20 *19 *18 *17 *16 organization MITRE Corporation (MITRE)* Corporation MITRE organization nonprofit U.S. The defined. clearly not is shared, be should which and required is information of kind what including information, said of handling the when difficult is companies or organizations different between attacks as such threats on information sharing that out pointed been has it However, companies. private between as well as citizens, and government the between sharing information is capabilities response attack cyber improve to necessary be to said initiative One required. is vigilance ongoing so occur, to continue will this like systems distribution ad exploiting attacks that expect We possible. infections malware of numbers large making for method efficient an as recognized is This spots. ad legitimate using sites malware to redirected were users which in cases frequent been also have there alterations, to addition In since. to malware sites via fake ads on YouTube that occurred in October 2014* October in YouTube on ads occurred fake that via sites users malware to redirecting attacks to properties similar exhibited attacks these that identified been has It U.S. the and Canada in sites news on used system distribution ad an via distributed was malware which in occurred incidents of anumber January, In n Other explanation of this specification* explanation an provides which Information,” Threat Describing and Structuring for Format STIX the of “Outline an sharing. published IPA has information and management, response events, characteristic of identification analysis, their aiding attacks, as such cyber threats on information structuralize to is specification this of objective The XML. using specification description media outlets and news sites were altered through unauthorized access in 2010* in access unauthorized through altered were sites news and outlets media of anumber by used servers distribution ad which in incidents were there Japan, In malvertising. as known also are these with the problem together with security vendors and other organizations, they reported that the number of affected PCs had PCs decreased* affected of number the that reported they organizations, other and vendors security with together problem the with dealing After software. this removing for atool of release the including measures took and public issues these made Lenovo problems affected a number of other software programs using the same SDK, as this SDK was actually the root cause* root the actually was SDK this as SDK, same the using programs software other of anumber affected problems same the that revealed was it after issued were alerts issues, these to relation In it. exposing software, in certificates included was installed the for key private the and strong, sufficiently not was certificates installed these for method the that encryption fact the as such identified, also were issues other of number A store. certificate local the to certificates self- signed installed it because communications, SSL/TLS encrypted into ads insert even could it that was exhibited it behavior problematic particularly One screen. browser auser’s in ads displaying and inserting for functions contained and adware, so-called was stopped, practice this 2015 when January 2014 and September between shipped PCs on installed was software, which This attention. widespread received PCs Lenovo on preinstalled software with issues period, survey this During PCs on Pre-Installed Software with n Issues care. health and such finance as fields in numbers identity personal for usage of scope the expanding numbers), identity personal including (information information personal specific of use the promoting for systems the to amendment an included also decision cabinet This Databases. Information Personal Supplying of Crime the of establishment the including increased, were information personal containing adatabase from data of theft or supply unauthorized the for penalties leaks, information to response in information. Furthermore, personal of handling the supervise and monitor to authority with Committee Protection Information Personal athird-party of creation the prescribes also It information. personal into reconstructed be cannot and anonymized is that data of handling the regarding rules establishes and clearly, more information personal defines bill the information, personal of utility and protection the to To contribute citizens. of security and safety the improving and data, personal of utilization *15 communications such as this threaten the privacy and security of users* of security and privacy the threaten this as such communications

IPA, “Outline of the STIX Format for Structuring and Describing Threat Information” (http://www.ipa.go.jp/security/vuln/STIX.html) (in Japanese). (in (http://www.ipa.go.jp/security/vuln/STIX.html) Information” Threat Describing and Structuring for Format STIX the of “Outline IPA, (http://www.mitre.org/). Corporation MITRE (http://www.microad.co.jp/news/information/detail. services” (in our php?newid=News-0118) on Japanese). alterations regarding report and Apology Report: “Problem Inc., MicroAd, youtube-ads-lead-to-exploit-kits-hit-us-victims/). (http://blog.trendmicro.com/trendlabs-security-intelligence/ Victims” US Hit Kits, To Exploit Lead ”YouTube Ads Blog, Intelligence Security Micro Trends Electronic Frontier Foundation (EFF), “Dear Software Vendors: Please Stop Trying to Intercept Your Customers’ Encrypted Traffic” (https://www.eff.org/ Traffic” Encrypted YourCustomers’ Intercept to Trying deeplinks/2015/02/dear-software-vendors-please-stop-trying-intercept-your-customers-encrypted). Stop Please Vendors: Software “Dear (EFF), Foundation Frontier Electronic cleanup.aspx). MalwareMicrosoft Protection Center, “MSRTcleanup” Superfish March: (http://blogs.technet.com/b/mmpc/archive/2015/03/10/msrt-march-superfish- US-CERT, “Vulnerability Note VU#529496 - Komodia Redirector with SSL Digestor fails to properly validate SSL and installs non-unique root CA CA root non-unique installs and SSL validate properly to fails and private keys”(http://www.kb.cert.org/vuls/id/529496). certificates Digestor SSL with Redirector -Komodia VU#529496 Note “Vulnerability US-CERT, 16 . However, a U.S. nonprofit organization among others has pointed out that efforts to intercept user user intercept to efforts that out pointed has others among organization nonprofit aU.S. . However, 21 . 20 is leading moves to develop the STIX (Structured Threat Information eXpression) eXpression) Information Threat (Structured STIX the develop to moves leading is 17 . 18 . Attacks using ad distribution systems such as as such systems distribution ad using . Attacks 19 , and similar incidents have been confirmed confirmed been have incidents similar , and 15 .

9 Infrastructure Security 10 Infrastructure Security March Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O V V V V V V S S S S S (http://www.narita-airport.jp/en/news/150305.html). Narita InternationalAirportCorporation,“ApologyforShutdownofWebsite&Explanation” to anotherwebsite. 3rd: Anincidentoccurredinwhichthewebsiteofanairportcompanywascompromisedbyunknownparty,andalteredtoredirectvisitors “APSB15-05: SecurityupdatesavailableforAdobeFlashPlayer”(https://helpx.adobe.com/security/products/flash-player/apsb15-05.html). 13th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowarbitrarycodeexecutionwerediscoveredandfixed. “Microsoft SecurityBulletinSummaryforMarch2015”(https://technet.microsoft.com/library/security/ms15-mar). MS15-018, aswellnineimportantupdates. 11th: MicrosoftpublishedtheirSecurityBulletinSummaryforMarch2015,andreleased14updates,includingfivecriticalupdatessuchas (http://googleprojectzero.blogspot.in/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) See thefollowingGoogleProjectZeroannouncementformoredetails.“ExploitingDRAMrowhammerbugtogainkernelprivileges” accessed duetothehighdensityofcells(therowhammerproblem). 10th: ItwasannounceditpossibletoelevateprivilegesusingDRAMerrorscausedbyinterferencebetweenmemorycellswhentheyare installed withlatestuTorrent”(http://forum.utorrent.com/topic/95041-warning-epicscale-riskware-installed-with-latest-utorrent/). See thefollowingµTorrentuserforumpostforinformationoncircumstancessurroundingthisproblem.“Warning:EpicScale“riskware” 7th: ItwasdiscoveredthattheµTorrentBitTorrentclientsoftwareinstallingBitcoinminingwithoutusers’permission. (https://www.smacktls.com/#freak). See thefollowingexplanationbydiscovererformoreinformationaboutattackmethod.“FREAK:FactoringRSAExportKeys” vulnerability wascausedbyweakRSAencryptionfromtheperiodwhenU.S.restrictedexports. 4th: AvulnerabilityinTLS/SSLprotocolsthatcouldallowMITMattacksundercertaincircumstanceswasdiscoveredandfixed.This (http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar15.html). “Cisco EventResponse:March2015SemiannualCiscoIOSandXESoftwareSecurity AdvisoryBundledPublication” cause memoryleaks. 26th: CiscoreleasedascheduledsemiannualupdateforIOS,incorporatingtotalofseven fixestoissuesthatcouldleadDoSattacksor (https://github.com/blog/1981-large-scale-ddos-attack-on--com). See thefollowingGitHubannouncementformoreinformation,“LargeScaleDDoS Attackongithub.com” 26th: U.S.companyGitHubwastargetedinalarge-scaleDDoSattackthatspannedseveral days. (https://en.greatfire.org/blog/2015/mar/we-are-under-attack). See thefollowingGreatFire.orgblogpostformoreinformationaboutthisattack,“We areunderattack” DDoS attack. 18th: GreatFire.org,whichprovidesinformationonthestatusofblockedsitesinChina,announced itwasbeingtargetedbyalarge-scale (http://www.npa.go.jp/keibi/biki/201503kaizan.pdf) (inJapanese). National PoliceAgency,“Regardingthedefacementofwebsitesbypartiesclaimingaffiliationwith‘IslamicState(ISIS)’” 11th: AnumberofwebsitesinJapanweredefacedincidentsthoughttohaveexploitedaWordPressvulnerability. Website” (https://www.ipa.go.jp/security/vuln/websecurity.html)(inJapanese). The revisedcontentincludedtheadditionofmeasuresregardinganumberattackssuchaspasswordlistattacks.“HowtoSecureYour consideration topreventunintendeddamagessuchasinformationleaksoralterationsaffectingwebsites. 12th: IPApublishedarevised7theditionof“BuildingSecureWebsites,”whichsummarizespointsfordevelopersandoperatorstotakeinto “Report onCyberspaceThreatsfor2014”(http://www.npa.go.jp/kanbou/cybersecurity/H26_jousei.pdf)(inJapanese). illegal remittancecrimesrelatedtoInternetbankingweretheworsttheyhaveeverbeen. record-high number.Thetechniquesusedalsobecamemoredeviousandsophisticated,itisstatedthatthenumbertotaldamagesof number ofarrestsforcybercrimes,prefecturalpolicereceivedmoreinquiriesattheirconsultationcountersthanthepreviousyear,reachinga 12th: TheNationalPoliceAgencymadeanannouncementregardingthestateofcyberspacethreatsin2014.Whiletherewasadropthe (http://www.ipa.go.jp/security/technicalwatch/20150331.html) (inJapanese). “IPA TechnicalWatch‘EffectiveVulnerability CountermeasureProcedures(PracticalEdition)’” of vulnerabilityinformationandutilization ofsuchinformationtodealwithvulnerabilitieseffectively. 31st: IPApublished“EffectiveVulnerabilityCountermeasure Procedures(PracticalEdition),”whichsummarizesadviceregarding thecollection Cyber Security’(Japanese)published.”(http://www.ndl.go.jp/en/news/fy2014/1209642_2113.html). “2015-3-17 Researchreports‘AspectsofInformationandCommunication’‘AdvancesinCommunicationTechnology and communications,aswellthegrowingproblemofcybersecurity. Technology PromotionandCyberSecurity”researchreports.Thesesummarizethecurrentstateissuesofpolicyregardinginformation 17th: TheNationalDietLibraryissuedtheir“ProblemswithInformationandCommunications”“InformationCommunications (http://www.cas.go.jp/jp/houan/189.html) (inJapanese). Protection ofPersonalInformationandActontheUseNumberstoIdentifyaSpecificIndividualinAdministrativeProcedure” Cabinet Secretariat,BillforSubmissiontotheDietat189thRegularSession“LegislativeAmendPartofActon submitted thisbilltotheDiet. 10th: FollowingcabinetapprovalofabilltoamendtheActonProtectionPersonalInformationandNumberUseAct,government Vulnerabilities S Security Incidents P Political andSocialSituation H History O Other *26 *26 *25 *25 *24 *23 types: onattacks bandwidth three into capacity* attacks DDoS 2categorizes Figure impact. of degree the determine largely will performance) server and (bandwidth attacked environment the of capacity the and attack, a DDoS out carry to used be can that methods many are There situation. each of ascertaining facts the accurately in difficulty the to due figure the from excluded are incidents these but attacks, DDoS other to also responds IIJ standards. Service Protection DDoS IIJ on based attacks be to judged anomalies traffic shows information This March 1 and January between Service Protection DDoS IIJ the by handled attacks DDoS of circumstances the 2 shows Figure n Direct Observations services. hindering of purpose the for processes server or bandwidth network overwhelm to traffic unnecessary of large volumes cause rather but vulnerabilities, of that as such knowledge advanced utilizes that type the not are attacks these of most However, widely. vary involved methods the and occurrence, adaily almost are servers corporate on attacks Today, DDoS 1.3.1 1.3 * days several spanned that attack DDoS alarge-scale in targeted was GitHub company U.S. March, In *22 *22 Attacks DDoS in Trends 2: Figure conducted at the same time). same the at conducted outside so that it could be used in these attacks* these in used be could it that so China outside from accessed when party unknown an by altered been have may provider service search aChinese on JavaScript that validity upon issue was lacking at a number of certificate authorities in this way, an alert was issued* was way,alert an this in authorities certificate of anumber at lacking was issue upon validity application of confirmation the that learning after Additionally, contacted. be could for was certificate the name domain the at address email an whether see to check was a certificate a for application an of validity the of it confirmation only the incident, said is this In browsers. major on revoked each were certificates These in Egypt. authority certificate intermediate an by authorization without issued were domains Google of number a for certificates which in incident an was there March, in Also (No. ofAttacks) 10 12 14 2015.1.1 2 4 6 8 0

volumes of HTTP GET protocol commands, wasting processing capacity and memory. and mass send capacity then and server, processing Web ona wasting connections TCP commands, establish protocol GET HTTP attacks of flood volumes GET HTTP connection TCP connections. TCP memory. and actual of volumes capacity mass processing establish of wastage attacks the flood causing connections, TCP of start incoming major the for signal that prepare to packets target SYN the of volumes forcing mass send attacks connections, flood SYN TCP attacks. flood GET HTTP and flood, connection TCP flood, SYN TCP The flood. ICMP an fragments. called is and packets packets IP ICMP of use the while flood, aUDP larger-than-necessary called of is volumes packets UDP of massive use sending by a target of capacity bandwidth network the overwhelms that Attack US-CERT, “Vulnerability Note VU#591120 - Multiple SSL certificate authorities use predefined email addresses as proof of domain ownership” (http:// ownership” domain of proof as addresses email predefined www.kb.cert.org/vuls/id/591120)use authorities certificate SSL -Multiple VU#591120 Note “Vulnerability US-CERT, (https://drive.google.com/file/d/0ByrxblDXR_yqeUNZYU5WcjFCbXM/view). 百度 Baidu “Using method. attack attack. this on this about information more information for more for report following the See (https://nakedsecurity.sophos.com/2015/03/20/ attack” DDoS from bill greatfire-org-faces-daily-30000-bill-from-ddos-attack/) $30,000 daily faces “Greatfire.org post, blog Security Naked Sophos the See

31, 2015. DDoS Attacks DDoS Incident SurveyIncident 25 , attacks on servers* on , attacks 2015.2.1 26 23 , and compound attacks (several types of attacks on a single target target asingle on attacks of types (several attacks compound , and . to steer millions of computers to launch denial of service attacks” attacks” service of denial launch to computers of millions steer to 2015.3.1 22 24 . It has been identified identified been has . It . Server Attacks Capacity AttacksBandwidth Compound Attacks (Date) 11 Infrastructure Security 12 Infrastructure Security *28 *28 *30 *30 *29 observation project operated by IIJ* by operated project observation Figure 3:  3: Figure port. by numbers packet in trends 4shows Figure and country, by classified addresses IP sender’s the 3 shows 31, Figure 2015, March 1 and January between observed backscatter the For interposition. any without party athird as networks external on *27 *27 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 4: Figure spoofing* IP of use the by for accounted is this We believe foreign. or domestic whether addresses, IP of number large extremely an observed we cases, most In minutes. 37 and hours ten for lasted that attack acompound was attack sustained longest The hours. 24 over lasted none and hours, 24 and minutes 30 between 17.4% lasted commencement, of minutes 30 within ended 82.6% attacks, all Of packets. 1,179,000 pps to up using bandwidth of Gbps 2.83 in resulted and attack, compound as a classified was observed study under attack period the largest during The 7.3%. attacks capacity bandwidth and 23.4%, for accounted attacks compound while all of incidents, 69.3% for accounted attacks Server report. prior our to compared attacks of number daily average the in increase an day, indicating per attacks 4.27 to averages This attacks. DDoS 384 with dealt IIJ study, under months three the During Next we present our observations of DDoS attack backscatter using the honeypots* the using backscatter attack DDoS of observations our present we Next n Backscatter Observations FR 9.6% KR 5.3% NL 4.8% BR 3.2% DE 2.8% RU 2.3% IT 1.3% Other 17.7% (No. ofPackets) 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 2015.1.1

0 www.iij.ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) under “1.4.2 Observations on Backscatter Caused by DDoS Attacks.” Attacks.” DDoS by Caused Backscatter on Observations “1.4.2 under (http:// report this of Vol.8 in presented are observations, IIJ’s of www.iij.ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) results the of some as well as method, observation this of limitations and mechanism The attacker to make it appear as if the attack is coming from a different location, or from a large number of individuals. of number alarge from or location, the of adifferent address from IP coming is actual the than attack other the if as address an appear it given make to been has that attacker packet attack an sends and Creates address. IP asender’s of Misrepresentation Honeypots established by the MITF, a malware activity observation project operated by IIJ. See also “1.3.2 Malware Activities.” Malware “1.3.2 also See IIJ. by operated project observation activity amalware MITF, the by established Honeypots number alarge of constructed abotnet. Anetwork called is server. C&C concert in acting external an bots of from acommand receiving after attack an institutes that malware of atype is A “bot” Backscatter Observations to According Country by Targets Attack DDoS 30 . By monitoring backscatter it is possible to detect some of the DDoS attacks occurring occurring attacks DDoS the of some detect to possible is it backscatter monitoring . By 2015.2.1 27 and botnet* and US 18.4% CN 14.3% CA 20.3% 28 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage 2015.3.1 29 set up by the MITF, a malware activity activity MITF, amalware the by up set (Date) 80/TCP 53/UDP 6667/TCP 2710/TCP 25/TCP 25565/TCP 411/TCP 443/TCP 27015/UDP 22/TCP other *32 *32 that another method was also used at the same time. same the at used also was method know we another that backscatter, generate not does method attack reported the because GitHub, on attacks these Regarding 29. March and 27 March between detected also were GitHub on Attacks 11 (OpCharlieHebdo). January on Anonymous by out carried sites extremist Islamic on attacks and 4, January and 1 January between group institution financial a Finnish on included attacks backscatter of observations IIJ’s via detected were that period survey current the during attacks DDoS Notable France. in site agame-related targeting 25/TCP on attacks were there 25 January and 22 January between ports, other on attacks Regarding 9. March 4and March between provider hosting aU.S. on observed were attacks Additionally, China. in made agame to related websites of anumber on focusing observed, were provider this on attacks continued 20 March From 26. January 21 and January a between on for Canada in provider (80/TCP) hosting servers Web the on attacks were there observed, packets backscatter of numbers large particularly Regarding respectively. 14.3%, and 18.4% at followed China and States United The 20.3%. at ratio largest the for accounted Canada 3, Figure in country by DDoS by targeted addresses IP indicate to thought backscatter of origin the at Looking period. survey previous the in 3,900 around from 6,200 around to rising it with trend, upward an still is there see can we 2014, February since often observed communications 53/UDP the for packets of number average daily the Examining 27015/UDP. and 25565/TCP, 2710/TCP, unused typically the as well as HTTPS, for used for used SMTP, 443/TCP and 25/TCP Chat), Relay (Internet IRC for used 6667/TCP on observed also were Attacks total. the of 70% for accounted ports two top the so 31.8%, at DNS for used 53/UDP by followed was This period. target the during total the of 38.2% accounting for services, Web for used port 80/TCP the was observed attacks DDoS the by targeted commonly most port The *31 *31 MITF* the of observations the of results the discuss will we Here, 1.3.2 MITF uses honeypots* uses MITF to locate a target for attack. for atarget locate to attempting scans or random, at atarget selecting malware by communications be to appear Most Internet. the over arriving

A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed A system for countermeasures. information actual to technical findings gather to these link to and activities, malware of countermeasures, state the understand to attempt an in malware honeypots observing of 2007, use May in the through activities began activity (MITF) network Force Task Investigation Malware The Force. Task Investigation Malware of abbreviation An

Malware Activities 32 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar amanner in Internet the to connected 31 , a malware activity observation project operated by IIJ. The The IIJ. by operated project observation activity , amalware 13 Infrastructure Security 14 Infrastructure Security Figure 6: Communications Arriving at Honeypots (by Date, by Target Port, per Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 6: Figure  5: Figure day* per acquired specimens of number total the show specimens acquired of number the 9, Figure 8and Figure In specimens. unique of number the in trends 9shows Figure acquired. specimens malware of number total the in trends shows 8 Figure while study, under period the during malware for source acquisition specimen the of distribution the 7shows Figure Activity Network n Malware trend. asimilar followed this and States, United the and China including countries to allocated addresses IP of number alarge from communications in increase an was there 23, March and 21 March Between servers. proxy or SSH, Telnet, find to attempting behavior scanning were communications these of Most Russia. and Taiwan, Kong, Hong States, United the China, as such countries to allocated addresses IP many from communications in a spike was there 20, 17 February and February Between Japan. and China to allocated addresses IP from received mainly was this that learned we investigation, Upon February. until continued period survey previous the in November since (23/TCP) Telnet targeting communications in RDP. increase for The used 443/TCP 3389/TCP and and HTTP, for used 80/TCP requests, echo ICMP HTTP-proxy, for used 8080/TCP Telnet, for used 23/TCP SSH, for used Server, SQL 22/TCP Microsoft’s by used 1433/TCP targeting behavior scanning observed We also systems. operating Microsoft by utilized ports TCP targeting behavior scanning demonstrated honeypots the at arriving communications the of Much MSRPC. on attacks as such port, aspecific to connections multiple involved attack the when attack asingle as connections TCP multiple count to data corrected we observations these in Additionally, study. to subject period entire the over ten) (top types packet incoming for trends the showing honeypot, per average the taken We have observation. of purpose the for honeypots numerous up set has MITF The packets). (incoming volumes total the in trends 6shows 31, Figure 2015. March 1and January between honeypots the into coming communications for country by addresses IP sender’s of distribution the 5shows Figure of Randomn Status Communications *34 *34 *33 (No. ofPackets) 1,000 1,200 1,400 1,600 1,800 2,000 200 400 600 800 2015.1.1 CN US HK TW RU KR DE FR NL BR 17.5% Other Outside Japan92.9% 0

fact into consideration when using this methodology as a measurement index. this take to ameasurement as efforts methodology best this its using when expended has MITF the consideration values, into hash fact different having that given malware same value, the of hash by specimens in specimens of result may uniqueness padding the and guarantee cannot obfuscation we While to inputs. designed is different for function hash The possible as input. outputs various for value different many as fixed-length a produce outputs that function) (hash function one-way a utilizing by derived is figure This honeypots. by acquired malware the indicates This 32.9% 21.3% 7.5% 3.4% 2.7% 2.1% 1.9% 1.3% 1.2% 1.1% under Study) Period Entire Country, (by Distribution Sender 2015.2.1 Within Japan7.1% Other 0.2% ISP I 0.2% ISP H G 0.2% ISP 0.3% ISP F 0.3% ISP E 0.3% ISP D 0.3% ISP C 0.9% ISP B 0.9% ISP A IIJ 1.5% 2.0% (954) removed any Conficker results when totaling data. totaling when results Conficker any removed and packages, software anti-virus multiple using Conficker detected have 9we Figure 8and Figure for reports, previous our with As name. malware by coded color displayed is 10 variants top the of a breakdown and software, anti-virus of a hash function* ahash of digest their to according categorized variants specimen of number the is specimens unique of number the while 2015.3.1 34 . Specimens are also identified using using identified also are . Specimens (Date) 23/TCP 445/TCP 22/TCP 135/TCP 1433/TCP ICMP Echorequest 443/TCP 8080/TCP 3389/TCP 80/TCP other 33 , servers* C&C botnet of 105 presence the confirmed MITF the addition, In downloaders. were 3.4% and bots, were 2.3% worms, were acquired specimens malware of 94.3% observation under period current the during analysis, independent MITF’s the Under malware. download to access PCs newly-infected that websites download of closure the despite continuing worms old as such malware of behavior infection to due was this believe we servers, Web from responses error 403 or 404 HTML were specimens format text these of many Because format. text in were specimens undetected of 49% about Additionally, Taiwan. and States, United the China, as such countries to allocated addresses IP from observed worms included they closely, more specimens undetected the investigating After malware. 19 different representing study, under period the during day per acquired were specimens 87 average, On *35 *35 Conficker) (Excluding Specimens Unique of Number the in Trends 9: Figure Conficker) (Excluding Acquired Specimens Malware of Number Total the in Trends 8: Figure  7: Figure during the current survey period. Algorithm) Generation (Domain aDGA used that aspecimen of appearance the to due was this but period, survey previous 100 150 200 250 300 350 400 (Total No.ofSpecimensAcquired) (No. ofUniqueSpecimens) 10 20 30 40 50 60 70 80 90 50 2015.1.1 2015.1.1 0 0 TW 22.1% US 9.1% EG 7.6% CN 7.3% IN 6.9% BR 4.8% HK 4.6% RU 4.0% ID 3.9% VE 3.1% Other Outside Japan99.5% An abbreviation of Command & Control Server. A server that provides commands to a botnet consisting of a large number of bots. of number alarge of consisting abotnet to commands provides that Aserver Server. &Control Command of abbreviation An 26.1% 35 Excluding Conficker) Excluding Study, under Period Entire Country, (by Source by Specimens Acquired of Distribution and 14 malware distribution sites. The number of botnet C&C servers continues to rise sharply as seen in the the in seen as sharply rise to continues servers C&C botnet of number The sites. distribution 14 malware and 2015.2.1 2015.2.1 Within Japan0.5% Other ISP B ISP A 0.1% 0.2% 0.2% report, and the number of unique specimens increased by by increased specimens unique of number the and report, this by covered period the during 19% approximately by increased acquired specimens of number total the period, survey previous the to Compared report. this in figures from it omitted have we far, so by malware prevalent most the remains Conficker that demonstrates This specimens. unique of 97.0% and acquired, specimens of number total the of 99.5% for accounts Conficker periods, short over fall and rise figures While malware. different 608 representing report, this by covered period the during day per acquired were specimens of 19,434 average an Conficker, Including n Conficker Activity 2015.3.1 2015.3.1 (Date) (Date) Empty file NotDetected Trojan.Dropper-18535 Trojan.Agent-71068 Trojan.Spy-78857 Trojan.Dropper-20380 Trojan.Agent-71049 Trojan.Agent-173287 Trojan.Downloader-73594 Trojan.Agent-230163 other NotDetected Trojan.Dropper-18535 Trojan.Spy-78857 Worm.Allaple-307 Win.Trojan.Agent-827451 Win.Trojan.Agent-171842 Trojan.Downloader-73594 Worm.Allaple-306 Worm.Allaple-2 Trojan.Agent-71068 other 15 Infrastructure Security 16 Infrastructure Security demonstrates that infections are still widespread. still are infections that demonstrates Of the types of different Web server attacks, IIJ conducts ongoing surveys related to SQL injection attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web different of types the Of 1.3.3 Figure 11: Trends in SQL Injection Attacks (by Day, by Attack Type) Day, Attack by (by Attacks Injection SQL in 11: Trends Figure Source by Attacks Injection SQL of Distribution 10: Figure Group* Working Conficker the of observations the to According 9%. about *38 *38 *37 *36 IP addresses are infected* attack targets was also attacked from another source in China between March 27 and March 30. Attacks on this target target this on Attacks 30. March and 27 March between China in source another from attacked also was targets attack these of One targets. multiple against China in sources of anumber from attacks large-scale were there 23, 20 February and February Between targets. multiple at directed sources other of anumber from made also were 16, attacks On 13. February February on place took targets specific at directed China in sources attack multiple from attacks period, this During occurring. attacks large-scale several with China, from attacks in spike asignificant to due mainly was This report. previous the to compared servers Web against attacks injection SQL of number the in increase adramatic was There order. in following countries other with respectively, 2.3%, and 2.5% for accounted Japan and States United the while observed, attacks of 90.8% for source the was China Managed IPS Service. IIJ the on signatures by detected attacks of asummary are These attacks. of numbers the in trends 11 shows Figure 2015. 31, March 1and January between detected servers Web against attacks injection SQL of distribution the 10 shows Figure content. Web rewrite to attempt that those and servers, database overload to attempt that those data, steal to attempt that those patterns: attack three of one in occur to known are injections SQL security. Internet in topic major a remain and past, the in times numerous frequency in up flared have attacks US 2.5% JP 2.3% NL 0.9% SA 0.9% UK 0.3% IT 0.3% DE 0.2% FR 0.2% BR 0.2% Other 1.4% (No. Detected) 250,000 300,000 350,000 400,000 100,000 150,000 200,000 450,000 500,000 50,000

2015.1.1 For some reason Conficker Working Group data appears to be missing between March 28 and April 2, 2015, so we have cited data for April 3, 2015 that that 2015 3, April for data cited have we so affected. 2015, be 2, not April and should 28 March between missing be to appears data Group Working Conficker reason some For Conficker Working Group(http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking). Observations without proper authorization, and steal sensitive information or rewrite Web content. Web rewrite or content information database the alter or sensitive steal access and Attackers authorization, proper database. without underlying an manipulating thereby commands, SQL send to server a Web accessing Attacks 0

SQL Injection Attacks Injection SQL 37 . This indicates a drop to about 22% of the 3.2 million PCs observed in November 2011, it but November in observed PCs million 3.2 the of 22% about to a drop indicates . This 2015.2.1 (421,129) CN 90.8% (299,166) (795,256) (758,498) (327,910) (394,484) attack attempts continue, requiring ongoing attention. ongoing requiring continue, attempts attack However, service. of course the in with dealt and detected properly were types various of attacks shown, previously As industry. financial the of servers Web on vulnerabilities find to attempts large-scale were these that believed is it finance, to connected were attacks by targeted companies the of most Because case. one than more in source attack asingle from observed attacks 400,000 over with sources, multiple from made were Attacks period. survey this during occurred that attacks overall the of 66.3% for accounted 2015.3.1 36 , as of April 3, 2015, a total of 707,844 unique unique 707,844 of atotal 2015, 3, April of , as (300,962) (602,536) (Date) (271,783) SQL_Injection HTTP_POST_SQL_Convert_Int HTTP_POST_SQL_WaitForDelay HTTP_GET_SQL_WaitForDelay HTTP_GET_SQL_Convert_Int SQL_Injection_Declare_Exec HTTP_GET_SQL_UnionSelect HTTP_GET_SQL_UnionAllSelect HTTP_POST_SQL_Select_Count HTTP_GET_SQL_Select_Count Other 38 . SQL injection injection . SQL *43 *43 *42 *42 *41 *40 *40 Windigo* Operation to linked been have period survey this in observed commonly were that Neutrino and Nuclear Because uptrend. aslight in now is it that said be can it low, very was downloads drive-by for rate incidence the although Overall, unchanged. remain trends These providers. content medium-scale and small for as well websites as content, video adult introduce that those included observed sites the content, in trends Regarding than months). (more three period extended an over source aredirection as acting intermittently observed were visitors redirect to altered detected since February 2014* February since detected not had which Neutrino, or crawler, Web this operating began we since detecting been have we which Nuclear, either of consisted majority the attacks, of composition the for As weekends. during detected attacks of number the in drops to sharp be tended there February, of half latter the from numbers attack in increase an following Additionally, observed. was activity no almost particular, in January In 12). (Figure 10 percent another around by fell and 2014 period, December to October the in seen trend declining the 2015 continued March and January between observed attacks download drive-by of number The and malware distributed. exploited vulnerabilities the as well as sites, altered of number the in fluctuations regarding trends on speculate it to Japan, in easier is users typical by frequently viewed be to thought websites surveying By numbers. access in increases short-term seen have that websites monitor temporarily we this, to addition In basis. aregular on sites target new add We also Japan. in sites popular and well-known on afocus with basis, adaily on websites of thousands of tens accesses crawler Web This CVE-2015-0336), and functions for exploiting new vulnerabilities are added at a fast pace* afast at added are vulnerabilities new exploiting for functions and CVE-2015-0336), and CVE-2015-0313, CVE-2014-0569, CVE-2014-0515, as (such vulnerabilities Flash exploiting for functions with equipped Here we indicate the status of website alterations as surveyed through the MITF Web crawler (client honeypot)* (client crawler Web MITF the through surveyed as alterations website of status the indicate we Here 1.3.4 *39 *39 Kit) Exploit (by (%) Websites Viewing When Incidence Download Drive-By of Rate 12: Figure place, and visitors should stay up to date with measures against vulnerabilities in browsers or related plug-ins (Flash Player in particular). Player (Flash plug-ins related or browsers in vulnerabilities against measures with date to up stay should visitors and place, in are content web of alteration the against measures that ensure should operators Website caution. exercise to continue *Covers several tens of thousands of sites in Japan. In recent years, drive-by downloadshavebeenconfiguredtochange severaltensofthousandssitesinJapan. drive-by *Covers Inrecentyears, attack detailsandwhetherornotattacks aremadebasedontheclient depending onthetestenvironment andcircumstances. system environment orsessioninformation,sourceaddress attributes, andthequotaachievement such statusoffactors asnumberofattacks. This meansthatresultscanvarywildlyattimes 0.002 0.003 0.004 0.005 0.006 (%) 0.001 2015.1.1

0 securitylabs/archive/2015/01/15/evolution-of-an-exploit-kit-nuclear-pack.aspx) for more information on Nuclear, and “Exploit Kit Evolution - Neutrino” -Neutrino” Evolution Kit “Exploit and Nuclear, on information more for for more information on Neutrino. (https://isc.sans.edu/diary/Exploit+Kit+Evolution+-+Neutrino/19283) (http://community.websense.com/blogs/ KIT” EXPLOIT AN OF securitylabs/archive/2015/01/15/evolution-of-an-exploit-kit-nuclear-pack.aspx) -EVOLUTION clients. NUCL(Y)EAR “HAPPY redirect or see spam send Windigo, to exploited Operation to and compromised connections been have Regarding servers 25,000 than 2011, more since that reported is It (http://www.welivesecurity.com/wp-content/uploads/2014/03/ operation_windigo.pdf). WINDIGO” “OPERATION paper, white ESET the in disclosed activity attack Large-scale 1600305-and.html), it is reported that a vulnerability disclosed on March 12, 2015, was confirmed to be exploited by Nuclear on March 19, and by Neutrino Neutrino by and 19, March on Nuclear by exploited be to confirmed 2. was 12, 2015, April on March on disclosed avulnerability that reported is it 1600305-and.html), (http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to- Kits” Exploit and 16.0.0.305) to up (Flash “CVE-2015-0336 in example, For not detected it since February 2014. That said, in November 2014 the release of a new version was reported in an article titled, “Neutrino : The come back! back! come :The “Neutrino titled, article an in reported was (or Job314 the version Alter EK)” anew of (http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html). release the 2014 had November in crawler said, Web this That and 2014. down, died February since gradually it but 2013, detected October not around from internationally and Japan in wildfire like spread Kit Exploit Neutrino The EN.pdf) for an explanation of Web crawler observation methods. observation crawler Web of explanation an for EN.pdf) (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol22_ report this of Vol.22 in Crawlers” Web Using Surveys Defacement Website “1.4.3 See

Website Alterations 42 * 43 , attacker groups may wield a comparatively large amount of potential power. It is recommended that all parties parties all that recommended is It power. potential of amount large a comparatively wield may groups , attacker 40 . Each of these exploit kits, like many of the other exploit kits that are popular recently, is is recently, popular are that kits exploit other the of many like kits, exploit these of . Each 2015.2.1 2015.3.1 41 . In most cases, the websites websites the cases, most . In (Date) 39 . Neutrino Nuclear Angler Fiesta SweetOrange Other 17 Infrastructure Security 18 Infrastructure Security is displayed with a higher ranking than the original distribution site. In other cases, fraudulent distribution sites are mixed mixed are sites distribution fraudulent cases, other In site. distribution original the than ranking ahigher with displayed is site afraudulent which in cases been have there “download,” as such keywords with along version and name software’s the entering by download to want you software of piece acertain for searching when example, For sites. fraudulent to users Figure 13:  13: Figure poisoning* SEO as such techniques through advance in results engine search Web manipulate often Attackers Route n Intrusion PUAs Malicious of n Examples malicious PUAs. as malware to similar techniques use that these among examples to refer We will it. to relation no having despite install, to intended user a software to addition in installed programs unwanted all as PUAs define will we here Consequently, environment. and situation, view, of point attitude, their as such factors on based varies auser by unwanted is a program Whether malicious. are they not or whether of regardless PUAs, considered be can users by unwanted are that functions with programs all definition, literal the by going because is That experts. among even differs PUA of a definition strict The n Defining PUAs used. they techniques the discuss and PUAs, of anumber of analysis recent IIJ’s of results the examine we report, this In UAC. bypassing by privileges elevating and content, Web altering PUAs, other installing also and information, steal to them using PUAs, installing into users tricking malware, to similar techniques use that PUAs malicious of number increasing an been has there years recent in Additionally, aware. being user the without etc., advertising, in use for sources external to it send and behavior user on information acquire that PUAs malicious also are there glance, first at functions legitimate provide simply and harmless be to appear PUAs some Although well. as PUA of atype as treated sometimes is used being is software the while advertising inserts forcibly that Adware Programs). Unwanted (Potentially PUPs as known also are They overall. beneficial being despite functions inappropriate some includes that or place, first the in users by needed not either is that software to refers and Application, Unwanted Potentially of abbreviation an is PUA 1.4.1 firmware. HDD reprograms that malware of IOCs the of evaluation and technology, management ID PUAs, malicious increasingly regarding period this during undertaken have we surveys the from information present we will Here incidents. prevalent of analyses and surveys independent perform to continuing by countermeasures implementing toward works IIJ Accordingly, next. the to minute one from scope and type in change Internet the over occurring Incidents 1.4 *44 *44 Web browser

search engine optimization algorithm to intentionally manipulate search results. It was originally a marketing technique, but now it is also used to cause cause to used also is it now etc. but technique, infections, malware a marketing through originally was users to It harm results. search manipulate the using by intentionally to ranked be algorithm would normally it than optimization higher engine search prepared have you apage displaying for atechnique is poisoning Optimization) Engine (Search SEO Correct downloadbutton

Increasingly Malicious PUAs Focused Research Focused Inserted into Download Sites Download into Inserted (Ads) Buttons Download Fake of Examples software description,etc. Download (Software name) Screenshot or xxx2-1-1.exe Download License: Free Languages: English OS: WindowsXP/Vista78 Version: Latest fraudulent sites. download orredirectusersto ads thateithertriggeranautomatic download buttons,theyareactually Though thesecloselyresemble Japanese versionforfree Download thelatest xxx-download.example.com Downloadable atourwebsite Download Manager Version: 2.3.02 Size: 547kb Free download (Software name) Another ad > Furthermore, several well-known download sites use their their use sites download well-known several Furthermore, button. download real the is which know to unlikely be will website the with unfamiliar users so others, with in mixed buttons download fraudulent ad-based multiple are There site. adownload for design asample 13 shows Figure sites. download well-known of anumber of pages Web the on ads the amongst PUAs malicious download to users induce that buttons download fake been also have There fraudulent. as them identify to harder it making sites, download famous resemble that designs and names domain feature sometimes to redirected are users that sites fraudulent The results. search the with together displayed ads the with in 44 to redirect *47 browser hijacker. aWeb as known also is method attack of type this uses that *46 *46 apay-per-install* running was framework PUA the built who person the that indicate to thought is This next. the to minute one from varying type and number the with downloaded, were PUAs additional of range adiverse example, one In PUAs. multiple install to on go that programs downloader been have they cases other in but adware, of pieces individual are download to induced are users that PUAs Some Frameworkn PUA Implementation creators. software individual from permission obtaining after PUAs with bundled installers offer sites download which in cases also are There tools. these with in bundled are PUAs cases some in However, tool. this through install to want they software the download users have and tool, download dedicated own *45 *45 Vawtrak* and SpyEye, ZeuS, as such Trojans banking to similar is this differs, inserted content the Although it. alter to viewed being content Web the into inserted then were these on based Ads accessed. had auser URLs the all steal to them hijack and APIs, receive and send the hook to browser Web a into injected was itself PUA the for code the or extensions, or plug-ins browser Web as run were PUAs Some n Web Alteration Content consent. user obtaining without installed also were PUAs downloaded additionally Some itself. update to attempt and PUAs new download to continue and PC, the on remain will it shown, software the of installation rejected user the if even executed, are this like PUAs If consent. user obtaining without installed were PUAs Some adware. the installing to consented have to deemed are they installation, during attention close paying is user the Unless “CONTINUE”. clicks user the when background the in installed is adware this and adware, other to refers text license of terms the but install, to wants user the software the for installer the as appear to made is It design. installer adware an of example 14 an is Figure process. installation the during aPUA install to consent unwittingly to users get to used intentionally are confusing find users that designs which in cases also are there PUAs, installer-type For deceived. been have they realize to users for harder it making install, to intended originally users software the install also PUAs cases many in Additionally, PUAs. new and downloading themselves updating installed, are they after periodically server aC&C with communicate PUAs Downloader-type

of ZeuS,” or IIR Vol.13 (http://www.iij.ad.jp/en/company/development/iir/013.html) under “1.4.2 SpyEye.” “1.4.2 under Variant Citadel The “1.4.2 under Vol.13 (http://www.iij.ad.jp/en/company/development/iir/013.html) IIR or ZeuS,” of A funds. Vol.18misappropriate to (http://www.iij.ad.jp/en/company/development/iir/018.html) IIR in found be attempt to can used is WebInject of information explanation detailed authentication stolen The institution. afinancial to in two- for logs user the apasscode when as such information authentication factor additional entering into auser banking deceive to Most this like API. system functions have SpyEye and communication ZeuS as such browser’s Web the malware Trojan for hooks setting by memory browser in content Web altering for afunction is functions WebInject WebInject with ZeuS of variant (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol18_EN.pdf). Citadel The report Vol.18 this in of Vawtrak. ZeuS” on of Variant information Citadel more The for “1.4.2 in detailed also is (http:// report this of Vol.24 in Institutions” Financial on Japanese for www.iij.ad.jp/en/company/development/iir/pdf/iir_vol24_EN.pdf) etc. information more for Information, Authentication Steals That Malware Vawtrak The “1.4.2 See information SpyEye. more for (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol13_EN.pdf) report Vol.13 in this of SpyEye” “1.4.2 See ZeuS. on (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol16_EN.pdf) report Vol.16 this in of Variants” its and ZeuS “1.4.3 See financial reward from the client for inducing more installations. It is said this model has also been used with malware in recent years. recent in malware with used been also has model this said is It agreater receive installations. they more because inducing for this like client the from frameworks reward build to financial believed is consignee why is The That framework. of earnings. kind this potential with their boosts organizations to possible as PCs requests many send as on they installed adware this money having earns that repeatedly, adware of sites acreator is affiliate client the if access example, users For making by made. pay-per- installations Similarly, software of clicked. are number that the on ads of based number the on based determined are rewards determined install rewards with pay-per-access, called also are affiliates reward Pay-per-click 46 that use the WebInject technique* WebInject the use that 45 operation, installing PUAs on user systems based on client requests for financial gain. financial for requests client on based systems user on PUAs installing operation, 47 . Software . Software Figure 14: Example of PUA Installer Design PUA Installer of Example 14: Figure and notclickable. and textthatappearsgrayedout such assmalltext,unfamiliarterms, have beenusedtomakethisharder, click To rejecttheinstallationyoumust decline , butanumberoftricks decline (Title ofthesoftwareuser originally intendedtoinstall) XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX (actually foradware) User consentform “ Although thebuttonsays will causeadwaretobeinstalled. CONTINUE CONTINUE ”, clickingitatthispoint 19 Infrastructure Security 20 Infrastructure Security *51 *51 *50 *49 *49 several months had passed. This is also thought to be a technique for evading detection by sandboxes. by detection evading for atechnique be to thought also is This passed. had months several to days afew from anywhere after downloaded were PUAs new Instead, immediately. server the from PUAs new not to download configured were they place, took server C&C the with communications although installation, after directly PC the reboot or manually them execute to attempting when Even malware. some by used is technique same this and detection, rapid for analysis dynamic use that products sandbox by detection evade to designed is behavior This rebooted. was PC the time next the until executed not were they so installed, when programs startup the to added only were PUAs of A number n Anti-Sandbox Techniques characteristics. their analyze and detect to harder it making strings, character key of obfuscation the or obfuscation code implemented also themselves PUAs the Furthermore, route. communications the over traveling while format executable in not were they because IPS or IDS using detect to difficult were these and obfuscated, or format acustom using compressed were that PUAs additional downloaded PUAs of A number n Obfuscation noticing. user the without folder system the to PUAs additional multiple install subsequently to privileges administrator gain to aPUA for necessary is it because is This ). as method same the using (most way this in privileges elevating for functions incorporated also survey this in analyzed we PUAs the of A number privileges. administrator gain automatically to functions Malware such as PlugX* as such Malware n Exploiting Windows Specifications keywords. search intercepting and supplier, adware an by provided engine asearch of use the forcing toolbar, browser aWeb as operate that examples also are There dangerous. are extremely they so noticing, users without content communications HTTP encrypted even to alterations enable techniques Both *48 *48 aMITM* via communications intercept to technique this use discovered variants Some itself. PUAinstalled the that certificate root the using signed and altered, intercepted, then are servers Web from Certificates it. to sent be to browser Web the from communications all causing HTTP(S), for proxy local as a act itself PUA the having and certificate, root aself-signed installing include techniques Other

administrator privileges are granted automatically without displaying a UAC pop-up. aUAC displaying so user, without by a performed automatically were they if granted as are appear privileges actions make that administrator methods attack of number in a specification this automatically. exploited elevated has are malware privileges years, and a user, by recent In performed was action an that default). the was determines level Windows highest the when Vista (in displayed not is popup a UAC requests user level, to this due At default the levels four but the of control, UAC of highest levels second four the are made There granted. Microsoft is 7onward permission Windows if from given only are privileges a and program when system, the displayed is changes that permission for user operation the acritical prompting A pop-up performs in. logged is privileges normal under administrator with privileges key account an when disables even that Control) circumstances Account (User UAC called afunction include onward Vista Windows from versions Windows html) (in Japanese) for more information on the UAC bypass technique used by Dridex. by used technique bypass UAC the on information more for Japanese) (in (https://www.jpcert.or.jp/magazine/acreport-uac-bypass. html) Dridex” by Used Method Bypass UAC New “The article, Center Analysis JPCERT/CC the See also is UAC bypassing by privileges of elevation The PlugX. about within. information discussed more for Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf) (https://www.blackhat.com/docs/asia-14/materials/Haruyama/ presentation 2014 Asia Hat Black PlugX” -Unplugging Me You Want Know “I the and (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol21_EN.pdf) report this of Vol.21 in Attacks” Targeted in Used RAT PlugX “1.4.1 The See communications, decrypting them to intercept or alter the content without users noticing. users without steal to content the parties alter or intercept to communicating them two between decrypting themselves communications, interposes attacker the which in a technique is attack (Man-In-The-Middle) A MITM 49 and Dridex* and 48 50 attack, and alter content by inserting ads, etc. ads, inserting by content alter and attack, each use different techniques to bypass UAC* bypass to techniques different use each 51 pop-ups, and are equipped with with equipped are and pop-ups, *55 *55 *54 *54 recent years there have also been cases in which ad sites themselves have been altered* been have themselves sites ad which in cases been also have there years recent In frameworks. PUA by installed programs additional the among included being malware of arisk is there Furthermore, as companies. such organizations of information internal the protecting of perspective the from undesirable is This leaked. be also will parameters GET and information, path URL names, server Intranet as such details PUA, of kind this with infected is organization an If party. external an to users by visited websites of URLs the as such information all send here discussed PUAs hijacker browser Web The Organizations at PUA Infections of Risk n The analysis. with interfere they that way another is This incorporated. were detection upon execution prevent to PUAs the of behavior the change that systems and environments, of preventing people falling for this trick* this for falling people preventing of way other one are site official the on listed values hash the checking as such techniques so buttons, download as posing ads malicious clicking by PUAs downloading of risk the also is There websites. fraudulent from PUAs malicious of download the prevent to possible is it there, from reached sites mirror legitimate or site, official the only using always By use. they that software the of sites official the with familiar become first must themselves users PUAs, malicious by infected To being avoid n Countermeasures discovered. are they if swiftly infections with deal to you enables that asystem construct also You should installed. being from user or organization the by unwanted software any or PUAs prevent to monitoring out carry to idea agood is it situation, To this avoid excluded. be cannot adware by displayed via drive-by downloads* *53 *53 WBEM* and WMI the using out carried was Detection detected. also were past the in malware analyzing when seen not Ihave that KVM and Xen, Hyper-V, as such environments virtual particular, In here. analyzed we PUAs the in found also were functions similar and sandbox, or environment avirtual in execution with interfering for functions have specimens malware Many n VM Detection *52 *52 not to click the “Next” button too quickly without reading the details. the reading without quickly too button “Next” the click to not Take care updated. or installed are they when PUAs install to attempt also may software pre-installed or well-known Some AppLocker. or policies restriction software as such functions Windows via folder, files program and directory system the outside programs of execution the by prohibiting freely software using and downloading from users stop can you directories, user in installed be can software some because addition, In arbitrarily. software installing them prevent to privileges user general only users granting consider to idea agood is it administrator, an are you If precautions. proper the taking without source unreliable an from is or reputation

The importance of confirmation using hash values is discussed in detail under “1.4.3 Alteration of Software Distribution Packages” in Vol.10 of this report report this in of Vol.10 Packages” Distribution Software of Alteration (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol10.pdf). “1.4.3 under detail in discussed is values hash using confirmation of importance The Drive-by downloads cause malware infections by exploiting some kind of vulnerability when a user views Web content. If the computer used by the viewer content. Web viewer the the by used viewing by merely computer the If malware with content. Web views infected is it auser when vulnerable, is vulnerability of kind some exploiting by infections malware cause downloads Drive-by There are also cases in which attackers themselves directly distribute ads for redirecting users to malware sites. malware to users redirecting for ads frequently. distribute targeted been directly have themselves platforms these attackers years which in recent in cases also are attackers, There for efficient is this to Because once. at possible is it websites altered are these they of all to when and exploit an websites, distribute multiple to ads distribute that term acoined platforms is ad cases many In Malvertising “advertising.” and malvertising. “malicious” called is combines within exploit an up set to platform ad an alters attacker an which in technique attack The hardware, software, OS, users, and processes), and changing the status. the changing and as such information processes), of and manner (all users, OS, information software, Windows hardware, remote and local of avariety managing for obtaining as such tasks implementation an is which perform can WMI WBEM. using Instrumentation, Windows Management Windows for short is (Desktop WMI DMTF group. the by up drawn was It standards computing. industry Force) Task distributed Management managing for specification atechnical is Management) Enterprise (Web-Based WBEM 52 functions to obtain BIOS information. In combination with other techniques, it is possible to detect almost all virtual virtual all almost detect to possible is it techniques, other with combination In information. BIOS obtain to functions 54 . The risk of infection through users being redirected to a malicious website when viewing an ad ad an viewing when website amalicious to redirected being users through infection of risk . The 55 . Furthermore, it is always best to avoid installing software that has a dubious adubious has that software installing avoid to best always is it . Furthermore, 53 , leading to malware being installed installed being malware to , leading 21 Infrastructure Security 22 Infrastructure Security *57 *57 users the right to choose whether or not to use their email address during the login process. login the during address email their use to not or whether choose to right the users give also but arealm, to unique IDs issue that systems seeing now are we circumstances, these of light In IDs. as used being addresses email to due site shopping or SNS an on IDs of input the for page a reminder on acquaintance an of address email risk* a also is identical being IDs to due data leaked of collation or binding name the but this, against countermeasure fundamental a is password same the reusing not course, Of realm. each on reused are IDs identical when risk same the is there that said be could It attacks. list-based in targeted be may it that fact the consider must you ID, the as address email an using when Meanwhile, side. service the on burden the increases this and identity, their confirm to used number phone or address email the enter to users prompting by password the resetting or reminders ID providing for page aWeb operate to necessary is it arealm, to unique IDs assigning When IdP, the by forgotten. is assigned ID arandom particular in or user, the by selected ID an where situations avoiding of benefit added the has it because and arealm, within IDs managing for cost the reduce to done is This arealm. to unique ID an assigning than rather substituted is address email an which in cases now are There is complete. pair password and ID the of registration once possible is service the of way, use this In chosen. generally is token of a type as apassword challenge, the of input or registration provisional During challenge. corresponding the input them having by confirmed is identity user’s the and number, phone the to message ashort or entered address email the to email an of way by a “challenge” with along sent is notification so stage, this at provisional only is Registration registration. user upon entered also normally is number phone or address email an as such data personal case, either In side. service the on assigned is ID a random which in cases are there hand, other the On user. another by use in already not is ID the that ensure to performed is check and a ID, an entering for field similar or ID” is a “user there registering, When time. first the for service online an using when into details necessary the input you screen registration the as of thought be can This ID. aunique is assigned realm said the in entity an and tasks, authentication-related performs that provider) (identity IdP an is there arealm In used. actually are tokens and ID which in cases use present will we report, this In pairs. token and ID have generally realm each in entities process), authorization and authentication the of areas (valid realm for individual an out carried is authentication Because ID. that with entity the of reliability the guarantee to used are tokens authentication, of time the At them. with associated information credential issue and ID, corresponding the with information and authorization attributes associate to authenticated is ID an with entity an which by process the explained we report, previous the In n ID and Token Variation examples. specific some including used, actually are technologies these how about talk we will report, this In privileges. access granting finally to credentials various the of circulation and tokens using authentication from process the explained and authorization, and authentication between difference the examined We also information. credential public and token private between relationship the at look a took and identifiers, of definition narrow the under IDs We discussed management. (identity) ID discuss again once will we here report, previous the from on Continuing 1.4.2 installation* force to exploited being vulnerabilities of possibility the to due malware, for as measures similar implement to necessary be also will it that, than Other consider. to method one is this like PCs Procuring removed. software pre-installed the with shipped them have can you so use, business for PCs of customization the enable manufacturers some Furthermore, PCs. this to selecting refer so when software, pre-installed of alist specify manufacturers of Anumber PCs. procuring when exercised be must caution PCs, on pre-installed software in found been has adware which in incidents been have there because Additionally, *56 *56 UAC to the highest level. highest the UAC to raising into look should account administrator an with PCs managing those reason, this For UAC. bypass to specifications

This is of course not limited to ID-based name collation, as the threat of name collation through information such as the name or phone number entered entered number phone or remains. name the still as such registration of information time the through at collation name of threat the as collation, name ID-based to limited not course of is environments. This Targeted in client in Used RAT PlugX “1.4.1 The of end the at countermeasures infection malware about information more for Attacks” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol21_EN.pdf) report this of Vol.21 See 57

. Additionally, there have been cases in the past where the leak of private information has been caused by entering the the entering by caused been has information private of leak the where past the in cases been have there . Additionally, ID Management Technology: From a Convenience and Security Perspective Security and aConvenience From Technology: Management ID 56 . As we have discussed here, there are also malicious PUAs that exploit Windows Windows exploit that PUAs malicious also are there here, discussed have we . As up to this point, and they were seen as a secure authentication method. However, in February 2015, Japan’s National Police Police National Japan’s 2015, February in However, method. authentication asecure as seen were they and point, this to up systems banking Internet in used been mainly have passwords One-time discarded. then and once used is that token of type a are which passwords, one-time examine will we Next tokens. and IDs of use the regarding variations discussed we Above n One-Time Password Variation privacy. their protecting on emphasis place who users of needs future the on based point some at implemented be may this like approach anew but now, right this like amethod using actually systems no are There 15. Figure in shown as possible, also are tokens base nor IDs base neither use that systems authorization and authentication tokens, and IDs derivative of concept the upon expanding by Furthermore, tokens). of reuse leak or (the IDs of security and IDs) (forgetting convenience user between balance the consider to best is it demonstrates, this As leaks. token the if impact the minimize to you enables This token. base the for authorization the of scope the to comparison in used is token derivative a when authorization the of scope the limit can and delegation as it of think can you perspective, this From changed. be to need not does password base the so password, derivative the disable to have only you that is advantage Another disclosed. be and application specific a from leak to were password ifa caused damage the limiting of benefit the has also This difficult. is input password where smartphones as such environments in function auseful be would This itself). token actual the using than rather stored, and password amaster using encrypted are tokens which in cases include could (this smartphone a on application each for tokens derivative saving be could use possible one goes, this of purpose actual the as far As password. one-time of atype as considered be also can it token, asingle-use as token derivative this of think you When token. base the from separately ID abase to token aderivative linking by authentication for pair token derivative and ID base a of use the involves technique This IDs. derivative of idea the to similar considered be can tokens derivative of concept The in. log you when displayed nickname the as such information to attention pay to necessary is it example, For associated. being party athird of perspective the from different appear that users by activities multiple to leading under, in logged are you ID derivative which forget you where cases be may there that is noted be should that point One IDs. derivative between switching simply by service each for IDs derivative different using actions perform to possible it making again, in logging when token the re-enter to necessary not also is It ID. derivative each for tokens individual manage to having of confusion the eliminating used, is ID base the with associated atoken ID, aderivative using in logging When athreat. itself in is IDs the of leak the previously, mentioned as where, situations prevent to way asimple as serves This used. actually is ID an which in situation each for it from IDs different deriving and ID, base your as you to assigned first ID the treating of idea the to leads This entity. same the by made being are actions or words your that known be to it want not do you and service, the on based perspective your change to want you which in situations are there cases, these In token. and ID same the with services of arange provides site the which in cases are there IdPs, as used are sites SNS or sites portal various When issue. this with deal to way as a IDs derivative and IDs base using of concept the examine now will We confidential. kept be should they that recognized is it where cases also are there past, the in information public as of thought were IDs although that shows This Figure 15: The Concept of Derivative Tokens and IDs and Tokens Derivative of Concept The 15: Figure Base Token Token Derivative Token Authentication Authentication ID (Identifier) Base ID Authorization Authorization Derivative ID Credential Credential Base Form 23 Infrastructure Security 24 Infrastructure Security *60 *60 *59 *61 *61 targeting corporate accounts that involve comparatively large remittance amounts, and an alert was issued* was alert an and amounts, remittance large comparatively involve that accounts corporate targeting attacks to given was attention Particular increase. the on also were damages that and losses, incurred had institutions *58 *58 2014* for banking Internet in remittances illegal regarding studies case published Agency safe, and omits the input of account numbers for transfers to these pre-registered accounts. pre-registered these to transfers for numbers account of input the omits and safe, are advance in users by registered accounts that assumption the on based is technique The device. input no with generators password one-time as used be also can they convenience, user for Additionally, accounts. attacker’s the for blacklists create automatically to possible is it time, this at generated log transaction the recording also by and attacker, an by intended account the to sent being money prevents This to. money transfer to want they number account the input themselves users having by numbers, account of correctness the guarantee that passwords one-time displaying and generating for functions feature They before. like authentication during password one-time the outputting for merely not are devices The rewritten. been have may that transactions of legitimacy the confirm to users enable that techniques incorporating also while verification identity enabling interface, input akeypad have devices hardware new these devices, previous Unlike cards. password one-time using start would they 2015that in institutions financial from announcements were there response, In ineffective. were countermeasures the verification identity improved with even words, other In attacks. Man-in-the-Browser for countermeasure fundamental no is there rewritten, been have sees auser transactions the possible that is it because However, PCs. and addresses IP specific from transactions accepting only as such measures secondary incorporate also systems banking corporate certificates, X.509 of use abovementioned the to addition In hand. at transaction the with do to nothing has which token, correct the has user the whether identify to used be only could it interface, input no with generator password aone-time simply was device hardware this because However, systems. banking of number a at adopted been also have authentication during devices hardware of use combined the featuring measures past, the In device. input an with equipped devices hardware of use the to migrating towards made being is progress problem, this to response In attacker. an by rewritten been actually have may transactions that possibility undeniable an is There improved. are methods authentication if even alone, browser the in shown information the on based legitimate is atransaction not or whether confirm explicitly to auser for impossible being it of problem the demonstrates This used. is password one-time adisposable when even possible are remittances illegal re-written, are amount transfer or number account destination However, as shown by Man-in-the-Browser attacks* Man-in-the-Browser by shown as However, remittances. large or changes address as such processes, important particularly with verification identity the reinforces time each discarded is that password aone-time of use leaked, number PIN primary the if Even etc. ATMs, at authentication for used password the to corresponds that number) 4-digit (a number PIN primary the as time same the at input is password atemporary which in method authentication an is case latter This password. one-time a display that devices hardware with along used, were card or paper on listed tables number random past, the In systems. banking Internet in used methods authentication the improve to made being is effort an circumstances, these on Based are notsufficient. client certificates usingmethods SSL/TLS transfers have been made from PCs or browsers infected with malware* with infected browsers or PCs from made been have transfers automatic which in disclosed cases been still have there used are certificates digital these when However, security. more provide to known are these and authentication, banking Internet corporate for introduced been also have (strong authentication) certificates X.509 on based authentication client incorporate that those apassword, use simply that methods to

2nd Secure Systems Symposium - Hiromitsu Takagi and Watanabe, “The threat of Man-in-the-Browser and fundamental countermeasures” (in countermeasures” Japanese). fundamental and (https://www.risec.aist.go.jp/files/events/2014/0313-ja/risec-sympo2014-takagi.pdf) Man-in-the-Browser of threat “The Watanabe, Hajime and Takagi - Hiromitsu Symposium Systems Secure 2nd IPA, “Have you implemented sufficient countermeasures for illegal remittances in corporate Internet banking? (August 2014)” (https://www.ipa.go.jp/ 2014)” (August banking? Internet corporate in files/000040703.pdf) (in remittances Japanese). illegal for countermeasures sufficient implemented you “Have IPA, (http://www.npa.go.jp/cyber/pdf/ 2015)” (February 2014 in Banking H270212_banking.pdf) (in Internet Japanese). to Related Remittance Illegal of Incidents of “Status Agency, Police National Trend Micro Security Blog, “Analyzing digital certificate theft attacks targeting corporate net banking” (http://blog.trendmicro.co.jp/archives/9417) (http://blog.trendmicro.co.jp/archives/9417) banking” net corporate (in Japanese). targeting attacks theft certificate digital “Analyzing Blog, Security Micro Trend 61 and MITM attacks, if banking system transaction details such as the the as such details transaction system banking if attacks, MITM and 60 . This demonstrates that even authentication authentication even that demonstrates . This 58 , indicating that over 100 financial financial 100 over that , indicating 59 . In addition addition . In impairing convenience slightly. by convenience impairing communications important for systems verification identity powerful select can users which in age an of dawn the is This are”. you “something or have” you “something as categorized tokens include will This apassword. like know” you “something simply to addition in required be will tokens other where day the approaching We are period. atransitional in are methods verification identity these Currently, appear. will card ID employee an like management secure require and rooms entering when carried always are that devices based card IC as such products that possible is it Consequently, restricted. be may devices USB standard FIDO of use the on-site, brought being memory flash USB prohibit that organizations are there as Just concern. of be also will points following the mainstream, more becomes it if However, year. last since spread has use Its USB. as such interface an via device hardware small of a use through password, a entering without verified be to identity enables function that carries out the main processing. main the out carries that the function executing before side, mscfg32.dll the on addresses function of copying the as such initialization performs character and the strings, deobfuscates exports, nls_933w.dll that addresses function of anumber calls mscfg32.dll loading, After dll). (mscfg32. Orchestrator Platform called DLL by a loaded is (“nls_933w.dll”) firmware HDD reprograms that module The ofn Overview Initial Behavior Additionally, a browser that implements FIDO Alliance’s Second Factor UX* Factor Second Alliance’s FIDO implements that abrowser Additionally, security. and convenience user between abalance strike to best also is it this, to regard With IDs. as addresses email of use the permit they not or whether choose auser having as approach same the on based is This rewritten. be will transactions that is it thinks auser likely how on based from select to options of arange providing is solution potential one point, this Regarding device. the into input will users that data more the transactions, for codes bank and amounts transfer check explicitly to users enabling as such implemented, are that measures more The problem. is a number account the confirm explicitly only users that fact way, the Either place. taking remittance illegal of arisk be would there attacker, the of control the under number account same the with bank another at account an was there if case, this In specified. not is to money transfer to bank the that fact the is there Secondly, time. of period short aspecific during amount transaction the change that attacks by obstructed being business of apossibility is there money, tuition of receipt for institution educational an of account the as such register, users of numbers large that accounts For guaranteed. be cannot amount transaction the of legitimacy the input, is number account the only because all, of First countermeasures. these of state current the analyze will we Now *65 *65 *64 *63 *62 Group* Equation the called group attack an on information released Kaspersky 16, 2015, February On 1.4.3 evaluated of (IOCs)* indicators compromise areas on an HDD, making it harder to detect or delete malware. IIJ has analyzed the initial behavior of this module* this of behavior initial the analyzed has IIJ malware. delete or detect to harder it making HDD, an on areas data invisible generate to able also is It systems. file reformatting or reinstallation OS after even malware sustain to used be can module this of functions the that states Kaspersky GrayFish. and EquationDrug in aplug-in as embedded is that (HDD) drives disk hard reprogramming for amodule use they that fact the is characteristics unique their of one that said be could It GrayFish. Fanny, and TripleFantasy, DoubleFantasy, EquationDrug, EquationLaser, including sets malware of avariety use

EN.pdf) for more information about IOCs in memory. in IOCs about information more for (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol26_ EN.pdf) report this of Vol.26 in openioc_ Memory” The “1.4.2 Device See in Lurking device. or Threats anetwork for on Scans behind That left Plug-in scan compromise of incidents or infections malware as such threats indicating traces are IOCs 11fb08b9126cdb4668b3f5135cf7a6c5. is specimen the of value hash MD5 The ANSWERS” AND QUESTIONS GROUP: “EQUATION Group. (https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf). Equation the on areport published (GReAT) Team & Analysis Research Global Lab’s Kaspersky (https://fidoalliance.org/specifications/overview/). Alliance FIDO The

Evaluating the IOCs of Malware That Reprograms HDD Firmware 65 for detecting its presence in memory. in presence its detecting for 62 has come onto the scene. This is a standard that that astandard is This scene. the onto come has 63 . The Equation Group Group Equation . The 64 , and , and 25 Infrastructure Security 26 Infrastructure Security Figure 16: IoControlCode Used by nls_933w.dll by Used IoControlCode 16: Figure queuing). DPC generation, (thread queuing request IO to related APIs defining also by eliminated be can positives false 18, Figure in shown as Specifically, processing. other to related groups API as well as group, API mentioned previously memory images, false positives occurred with a number of drivers on Windows 7* Windows on drivers of anumber with occurred positives false images, memory 7 Windows and XP Windows 32-bit of number a with definition this using detection verifying Upon occurring. positives false of likelihood higher in a result will this like definitions generic However, AND. using these as such APIs imported the defining by nls_933w.dll like functions with drivers detect to possible be may It size. write or read the on based used also are APIs similar and earlier, described registers ATA the to device write to used is WRITE_PORT_UCHAR called API an example, For registers. or ports hardware to write or from read to driver the in used APIs the include IOCs generic possible Other fact. the after space memory valid in find to difficult are they that said be could it so stack, the are onto strings loaded the deobfuscation after and obfuscated, are these nls_933w.dll of case the in However, firmware. HDD identifying of process the during used are that WD” “WDC and STM” “ as such numbers model the is mind to comes that thing first The nls_933w.dll. to limited not behavior, similar with malware detecting for IOCs generic evaluate will we Next, structures. these parses that sequence code the defining be could use to method one but side, driver the on included not are these like structures Meanwhile, AND. using defined are these so ATA commands, include that structures many contains module the Additionally, memory. in exist 12 of bytes) 17total (a Figure in shown structures sequence binary two the example, for DEVICE), (IDENTIFY information HDD obtains and that command the offsets for so write, to register of data consists structure This nls_933w.dll. of detection the to applied only if effective also is registers device ATAwrite and read to used nls_933w.dll in structure byte 6 the of comprised sequence binary the defining Furthermore, condition. AND the using IOCs as defined be all can these 16, and in Figure shown IoControlCodes six the uses malware This API. DeviceIoControl the in specified is which IoControlCode, include driver the and DLL the both in detected be can that IOCs nls_933w.dll. of detection the to specific IOCs at look will we First, image. amemory from loads) it drivers the (and DLL this detecting for IOCs evaluate will we earlier, detailed behavior initial the on based Consequently, memory. in exist least at must DLL same the space, data hidden the access to required is DLL this of API the because However, HDD. an from malware delete and detect to difficult it makes nls_933w.dll initially, stated we As n Evaluation of IOCs sent. is updates firmware to related MICROCODE) (DOWNLOAD acommand reprogrammed, be can target the that information HDD the from determined is it if this, After number. model the on depending sent be may PARAMETERS) DEVICE (INITIALIZE command afurther then and checked, are number model and revision, firmware number, serial the as such details obtained, information the From win32m.sys. to sent first is information HDD obtaining for DEVICE) (IDENTIFY acommand process, queuing this During ATA commands. issuing for IO of requests queuing the to on moves processing issues, no are there If out. carried is handlers request IO of clearing/setting the as such initialization and version, module the confirm to API DeviceIoControl the via controlled is win32m.sys Subsequently, nls_933w.dll. of process main the out carries that function the in resources the from loaded first is (win32m.sys) A driver *66 *66 The specimens we obtained were actually not designed to enable the loading of drivers in Vista or later environments with UAC enabled. UAC with environments later or Vista in drivers of loading the enable to designed not actually were obtained we specimens The Figure 17:  Figure Information (IDENTIFY DEVICE) Information (IDENTIFY HDD Obtains that Command the for Structures 66 . Consequently, we defined both the the both defined we . Consequently, *67 *67 Clearinghouse for Information, Security Operation Service Division, IIJ Minoru Kobayashi, Tadashi Kobayashi, Masahiko Kato, Masafumi Negishi, Yasunari Momoi, Hiroyuki Hiramatsu Contributors: IIJ Division, Operation Service Information, Security for Clearinghouse and Response Emergency of Office Takahiro Haruyama Suga Yuji PUAs) Malicious Hiroshi Suzuki (1.4.1 Increasingly Survey) Incident (1.3 Nashiwa Hisao Suzuki, Hiroshi Nagao, Tadaaki Tsuchiya, Hirohide Hirohide Tsuchiya Authors: Figure 18: Detection Based on API Used API on Based Detection 18: Figure this. as such reports in responses associated and incidents publicizing and identifying by usage Internet of dangers the about public the inform to effort every makes IIJ firmware. HDD reprograms that malware for IOCs the of evaluation our presented and technology, management ID examined PUAs, malicious increasingly discussed we report, this In responded. has IIJ which to incidents security of asummary provided has report This 1.5 functions* similar with malware detecting for IOCs generic as as well malware, this detecting for especially IOCs evaluated we Here effective. be can memory within detection that showing data, hides and firmware HDD reprograms that malware against measures exist there that demonstrated we report, this In n Summary AND. via used are that groups API previously-mentioned the of definition recommend we so positives, false in result to likely highly is alone definition this of Use defined. be can that IOC generic another is processing queue abovementioned the to related function timer kernel the of lack or presence The of response. urgency the on based demands occasion the as take to approach which determine to best be would it result, As a and verification. analysis sufficient on based functions malware the match that definitions create to necessary is it case, latter this in The IOCs we discussed here are listed on the following site (https://github.com/TakahiroHaruyama/openioc_scan). site following the on listed are here discussed we IOCs The Conclusion (1.4.2 ID Management Technology: From a Convenience and Security Perspective) Security and aConvenience From Technology: Management ID (1.4.2 several industry groups, including Telecom-ISAC Japan, Nippon CSIRT Association, Information Security Operation providers Group Group providers Operation Security others. Information and Japan, Association, CSIRT Nippon Japan, Telecom-ISAC of member including groups, committee industry asteering as several serves Mr. Saito CSIRTs. of group response international an emergency FIRST, in Group IIJ the of participating 2001, in representative IIJ-SECT the team, became Mr. Saito working customers, After IIJ. enterprise for Division, development Operation Service services security in Information, Security for Clearinghouse and Response Emergency of Office the of Manager Mamoru Saito (1.2 Incident Summary) Incident (1.2 (1.4.3 Evaluating the IOCs of Malware That Reprograms HDD Firmware) HDD Reprograms That Malware of IOCs the Evaluating (1.4.3 67 . However, to produce results with fewer false positives positives false fewer with results produce to . However, , Office of Emergency Response and and Response Emergency of , Office 27 Infrastructure Security 28 Messaging Technology Figure 1: Spam Ratio Trends further. decreased has it FY2014 in now and FY2012, for 44.3% and FY2011 for 48.1% of averages with time some for range 40% the in remaining first 2010, since sharply fallen has spam of ratio The 15.7%. of adrop represents this so (FY2013), last before year 47.4% the at stood ratio average The 31.7%. was (FY2014) year past the for ratio spam average that indicates This (Vol.23). IIR previous the since year the covers which 2015, 29, March 31, and 2014, March between weeks 52 the including (Vol.1, 2008), June period IIR initial the from data of worth weeks’ 356 for trends ratio spam showing agraph 1is Figure 2.2.1 lower. significantly is emails legitimate of number the as Year periods, New and vacation summer the as such holidays long include that weeks on higher relatively be to tend ratios spam said, That weekends. and weekdays between users email for differ rates usages email because week, by collated are ratios Spam services. email IIJ’s through provided filter spam the by detected spam of ratios the in trends on based trends, spam examine we section this In 2.2 end. the at these upon touch Iwill measures. anti-spam to related activities for milestones became that events of anumber were year, there Last measures. anti-spam with involved organizations of anumber with together implementation, toward work to detail in discussions continue to like would we future the In Conference. Anti-Spam Japan’s Association Internet the as such events at concepts these presented already We have systems. email in effectively used be can DMARC as such technology authentication sender how at look We also authored. being RFC aDMARC of light in widespread, more becoming in it aid to DMARC introducing of benefits the examine to opportunity the take we Technologies,” Email in “Trends Under spam. from arising topics security discuss We also FY2014. Vol.1, IIR including since trends ratio spam cover we Trends,” “Spam In involved. is IIJ which in measures anti-spam of avariety examine and technologies, email-related and spam in trends latest the discuss we report this In 2.1 feedback. and reputation domain including ecosystem email the and DMARC, using for framework email the as well as recently, authored was that DMARC for RFC the discuss we technologies email on commentary our in Additionally, Vol.1. IIR from data referencing 2015, while 29, March to 31, 2014, March from data of worth weeks’ 52 the incorporating trends spam on report we volume this In Technology Trends Measure DMARC and Anti-Spam 2. (%) 10 20 30 50 60 70 80 90 40 6/2 Messaging Technology Messaging 7/7 Introduction

8/4 Spam Ratios Decline Further in FY2014 in Further Decline Ratios Spam Spam Trends Spam 9/1 2008 10/6 11/3 12/1 1/5 2/2 3/2 4/6 5/4 6/1 2009 7/6 8/3 9/7 10/5 11/2 12/7 1/4 2/1 3/1 4/5 5/3 6/7 2010 7/5 8/2 9/6 10/4 11/1 12/6 1/3 2/7 3/7 4/4 5/2 6/6 2011 7/4 8/1 9/5 10/3 11/7 12/5 1/2 2/6 3/5 4/2 5/7 6/4 2012 7/2 8/6 9/3 10/1 11/5 12/3 1/7 2/4 3/4 4/1 5/6 6/3 2013 7/1 8/5 9/2 10/7 11/4 12/2 1/6 2/3 3/3 4/7 5/5 6/2 2014 7/7 8/4 9/1 10/6 11/3 12/1 1/5 2/2 3/2 2015 (Date) *5 *5 *4 *3 recommend you check whether it has been registered there. From a global perspective, APWG* perspective, aglobal From there. registered been has it whether check you recommend we email, asuspicious receive you If sites. those to users lure to used text email phishing sample the and websites actual the report* in access unauthorized on Data companies. and individuals of PCs the infiltrates malware of kind this how examine us Let illegal remittances was become increasingly sophisticated. This is thought to indicate that malware* that indicate to thought is This sophisticated. increasingly become was remittances process illegal automatically to viruses using of technique the that reported was it methods, remittance illegal Regarding bank accounts. personal than rather affected, accounts bank corporate in increase an been had there that reported was it incurred, damages of type the Regarding before. year the from damages in yen million 1,406 the double about is which yen, million 2,910 to came damages Total year. previous the over increase an 2014, in remittance illegal of cases 1,876 were 12, there 2015, the risks that spam can pose have diminished. According to areport* to According diminished. have pose can spam that risks the appear not does it past, the in said have we as but decline, the on is itself spam of volume the that demonstrate figures These 2.2.2 before. that of third to a fallen has received email of volume overall the mean would it years, five these over constant remained received emails non-spam standard, of number the suppose to were we if 46.7%, by fallen has ratio the because explanation, detailed more a give To years. five past the in considerably dropped has itself, spam of volume the words other in or ratios, spam so 2009, FY in 78.6% was ratio average The time. of period alonger over ratios spam compare us Let *2 *2 *1 as published were DMARC of portions core the 2015, March In stages. (“I-D”) Internet-Draft and origin its since IIR this in Conformance) and Reporting, Authentication, Message (Domain-based DMARC of specifications the discussed We have 2.3.1 and feedback. reputation domain including ecosystem email the and DMARC, using for framework email the as well as recently, authored was that DMARC for RFC the discuss we time This email. to relating trends technological of avariety examine will we Here 2.3 Regarding phishing, the Council of Anti-Phishing Japan* Anti-Phishing of Council the phishing, Regarding infections. malware of cause amajor is emails in listed sites malicious accessing that and activities, malicious these for trigger as a used is email that see can we short, In websites. untrustworthy from downloaded files or attachments email open not should users that indicated was it software), (malicious malware to regard with Similarly, sites. phishing to users redirect to used being is email that appears it email, with care taking discussed phishing regarding caution the Because defense against such incidents. regarding note to points following the listed also materials These uncommon. yet) (as are source external an from directly PC a on vulnerabilities exploiting incidents that surmise can we hand at have we that data the from but arrests, in result not did activity malicious of amount considerable a likely is it course, Of permission. without codes identification of use the for 336 were there arrests Meanwhile, report). the in attacks hole (security vulnerabilities targeting words other in or holes, security that I believe will prove useful for gauging recent trends. recent gauging for useful prove will Ibelieve that

3. 3. 2. 1. APWG: Anti-Phishing Working Group (https://apwg.org). Group Working Anti-Phishing Japanese). (in APWG: (https://www.antiphishing.jp/) Japan Anti-Phishing of Council (https://www.npa.go.jp/cyber/ functions control access to related (instatics/h26/pdf041.pdf) Japanese). technology for development and research and incidents “viruses.” access term unauthorized of widely-used Status more the from it is remittances, differentiate to illegal of malware or processing software the or spam, of malicious sending called the sometimes information, of theft the as such purposes, malicious certain for created Software Status of Incidents of Illegal Remittance Related to Internet Banking in 2014 (http://www.npa.go.jp/cyber/pdf/H270212_banking.pdf) (in Japanese). (in (http://www.npa.go.jp/cyber/pdf/H270212_banking.pdf) 2014 in Banking Internet to Related Remittance Illegal of Incidents of Status

Higher Risks Despite Lower Volumes Volumes Lower Despite Risks Higher The DMARC RFC DMARC The Trends Technologies Email in Caution regarding malicious programs malicious regarding Caution phishing regarding Caution passwords of management and configuration Appropriate 3 also published by the National Police Agency, among others, on March 19, 2015, listed two arrests for exploiting exploiting for arrests two 19, listed 2015, March on others, among Agency, Police National the by published also 4 provides information such as lists of phishing sites that mimic mimic that sites phishing of lists as such information provides 1 published by the National Police Agency on February February on Agency Police National the by published 5 publishes regular reports reports regular publishes 2 is still being employed. being still is 29 Messaging Technology 30 Messaging Technology this in Vol.16 in report* this this of We discussed domain. sender adifferent authenticate each authentication DMARC for basis the as used checks DKIM and SPF the and DMARC that fact the from originates issue The Group. Working DMARC IETF the by attention ongoing requiring apoint as cited also is it and process, standardization the during impact an had issue this likely is It possible. normally was use where cases of anumber in failing authentication with issue an has DMARC past, the in out pointed been has As 2014. April in made was Informational to I-D from change the appears it but Informational, an becoming it for reasons the of aware fully not Iam so Group, Working DMARC IETF the of discussions the all follow not Idid RFC. Informational an email should be received. In the world of email, it has long been said that a reputation system for evaluating whether or or whether evaluating for system areputation that said been long has it email, of world the In received. be should email an not or whether determine to required is process authorization an so spoofed, been not has domain sender authenticated an that indicates merely This spam. is email not or whether determining for than rather information, sender authenticating for technologies are DKIM and SPF as such technology authentication sender that times of a number stated have we now, to Up senders. to authentication failed on information report and function authentication anew add must who recipients, to benefits any provides DMARC whether examine us let Then recipients. the to delivered being from email spoofed prevents records DMARC publishing as DMARC, to advantages significant are there perspective asender’s from that said be could It 2.3.3 function. of reporting kind this provide to recipients email more for necessary be will it DMARC of use the popularize to However, side. recipient the on placed burden anew is Reporting areport. of form the in authentication fails that email on information of domain sender the notifying and recipient, email the by received email for domain sender the authenticating by achieved is reporting of kind This “reject.” to changed be to were policy the if impact the gauge to circulation in are emails spoofed many how about confirm and cases, any in failed email legitimate for authentication whether advance in determine can administrators domain report, this on Based sender. the to results authentication reports that function reporting the utilizing while these, as such impact limited with policies configure can administrator domain A configuration. policy a“reject” for transitions as designed are which and “quarantine,” as “none” such policies features also DMARC However, impact. asignificant have may this example, aprevious in shown As “reject.” to policy record DMARC the set to necessary is it this achieve to However, delivered. being from it prevent way, and this in spoofed domain sender the has that email identify to is DMARC of goal The domain. its misrepresents that email to related complaints in drop dramatic the with pleased was who bank U.S. amajor with member astaff from Iheard “reject,” to changed be to was policy record DMARC the that publishing after Meanwhile, policy. record DMARC the to according rejected be to receipt caused This list. mailing the from destinations delivery at authentication DMARC fail to Yahoo! via lists mailing in participating users of email the in resulting “reject,” to policy record DMARC the changed Yahoo! company U.S. which in incident actual an was there 2014, April In message. the changed has function intermediary an that or different, are email that of recipient final the of perspective the from sender recent most the and creator email original the that is cause underlying the case, each In email operations. convenient as utilized widely been have which functions, following the of use the include examples as given Cases flows.” mail “indirect is tackled be to needs that issue an as Group Working DMARC IETF the of charter the in listed currently problem One 2.3.2 RFC7489* *7 *6 modification message in results that handling message enhanced perform that MTAs • services forwarding mailbox Automated • managers list Mailing • “Messaging Technology ‘Sender Authentication Technology Deployment and Authentication Identifiers’” in Vol.16 of this report (http://www.iij.ad.jp/en/ report this in of Vol.16 Identifiers’” company/development/iir/pdf/iir_vol16_EN.pdf). Authentication and Deployment Technology Authentication ‘Sender Technology (https://datatracker.ietf.org/doc/rfc7489/). “Messaging (DMARC) Conformance and Reporting, Authentication, Message Domain-based

Use of DMARC by Email Recipients byEmail DMARC of Use Reporting and DMARC with Problems 6 . Initially, the DMARC I-D was published and discussed as a standards-track item, but in the end it became an an became it end the in but item, astandards-track as discussed and published was I-D DMARC the . Initially, 7 , which was published in August 2012. August in published was , which become possible to exclude unwanted spam in a more proactive manner. proactive amore in spam unwanted exclude to possible become may it feedback, as provided be to reputations domain enabling area, awide over aggregated be can information (domain) sender spam and widespread, more becomes DMARC of use the once However, it. exclude to individually effort exert to had recipients the and manner, aone-sided in recipients to sent was spam now, Until reputations. domain of accuracy the improve further to possible be will it system, this using gathered be can (domains) information sender definitive with along spam If to senders or implements administrative measures based on the information it has gathered* has it information the on based measures administrative implements or senders to warnings sends MIC The information. this by indicated violations any are there if (MIC) Communications and Affairs of Internal Ministry the notifying as such measures takes Center Consultation Anti-Spam The input. Web-based or email forwarded of way by spam on information accepts (JADAC) Association Communications Data Japan the of Center Consultation Spam Anti- the example, For Japan. in spam as arecipient by received email reporting for systems of cases already are There increase. may data reputation and analysis report of kind this providing businesses of number the so relationship, beneficial amutually build to information reporting collate who companies and administrators domain for possible is it how demonstrates This together. them providing of instead report, auseful as failed authentication DMARC which in cases collating and emails, reporting aggregating by reputation domain own for data a company’s as utilized also are targets reporting these appears It reporting. record DMARC for target the as one corresponding the than other names domain specifying records seen Ihave Recently, helpful. very is recipient the by necessary) is this whether (or spam is email whether of detection on and received, actually email of results authentication the on information reputation, domain of accuracy the raise to said, That range. acertain as tendencies their express to us enables That administrators. of identity the or created, were they since passed has that time of amount the as such information on based spam, sent had they showing data clear no with domains even judge automatically to possible it makes this example, For list). either on included not domains including you if values three (or white or black of values two the to limited being than rather approach, graded a more takes that avalue as of thought is reputation domain general, In awhitelist. as expressed were accepted be should email which from domains conversely, and blacklist, adomain as expressed being accepted be not should email which from domains of examples were there past, the In defined. clearly not still is reputation” “domain term The 2.3.4 user satisfaction. improving too, users, recipient for email unnecessary deleting and viewing of burden the reduces This spool. message the in stored be to need not do they means also It detection. filter spam and checks virus as such mail, received to applied normally processes of anumber with associated load the lighten can email unnecessary receiving from recipients email Preventing received. be not should that reputation alow with emails unnecessary of number the reduces domain) (the them evaluating and authentication sender via sender the clarifying because recipients email benefits DMARC Implementing domains. individual on based reputation using email receive to not or whether determine to process authorization an perform to possible now is it say could you words, other In methodology. unified using adomain extract to possible last at is it so DMARC, ultimately then DKIM, and SPF using authenticated are domains which in asystem enables DMARC authorization. this perform to required be would domain authenticated the on based received be should email not *8 *8

Ministry of Internal Affairs and Communications: Anti-Spam Measures (http://www.soumu.go.jp/main_sosiki/joho_tsusin/d_syohi/m_mail.html) (in Japanese). (in (http://www.soumu.go.jp/main_sosiki/joho_tsusin/d_syohi/m_mail.html) Measures Anti-Spam Communications: and Affairs Internal of Ministry

Domain Reputation 8 . 31 Messaging Technology 32 Messaging Technology explicitly sending spam, but in either case the source of the email can be confirmed, so measures can be taken. be can measures so confirmed, be can email the of source the case either in but spam, sending explicitly be may subscriber that or malware, with infected be may PC the example, For is. sender physical the who and from, sent actually was email that where up look to possible is it sent, is email an when for records authentication SMTP the references company sender-side the If stone. astepping as used being server transmission the detect to possible be will it reputation, domain managing sender the to feedback) (as negative false the report can recipient the as long as case, this In whitelist. the to registered were sender that if delivered be would spam framework, this under even route, delivery email legitimate a over passes message the To because up, sum stones. stepping as servers submission mail legitimate use to exploited were sent was mail when authentication SMTP to subject passwords and IDs where past the in cases reported We have check. in costs equipment filter spam keep to possible be also may it increases, advance in detectable cases of number the if that shows This filter. spam the through it passing without easily excluded be can it spam, sends that one clearly is domain authenticated an that known is it if Additionally, awhitelist. in included is name domain authenticated the if easily recipients to delivered be can alone content its on based detect to hard is that this like Email spam. as detected is received be should that email normal which in positives false prevent to measures take to necessary is it hand, other the On identify. to hard itself makes that spam clever exclude to how is filters spam of aspect difficult The situation. the on depending filter, spam the processing without recipient mail the to delivered be can it advance, in awhitelist to registered is domain authenticated an If reputation. domain using evaluated is authenticated and domain received the Next, perspective). technical a (from receipt block to possible be may it reject, as configured policy sender the with fails authentication DMARC and technology, using resolved be can issues various the assuming stage, this At DMARC. as well as DKIM, and SPF using performed is authentication domain received, is email when First, role. each of basics the over go to me Allow date. to discussed have we measures anti-spam the including use, email for environment abetter creating for systems sustainable and each of roles covers that ecosystem an is This email. received reporting feedback the and domains, authenticated evaluating reputation domain the authentication, sender of implementation DMARC the between relationships the showing (framework) overview an 2is Figure 2.3.5 Figure 2: EmailFigure 2: Ecosystem

Email Ecosystems Message Sender Feedback Reputation Domain fail Reputation Query Authentication DMARC Sender + pass black Reputation Domain none Feedback white gray spam Spam Filter legitimate mail Message Receiver and Communications (MIC) and the Consumer Affairs Agency take part as members. This is closely related to the M the to related closely is This members. as part take Agency Affairs Consumer the and (MIC) Communications and Affairs Internal of Ministry the Japan, From participating. countries 27 currently are there and measures, anti-spam with involved countries various from agencies administrative together brings that organization an is LAP Tokyo. in Hotel Plaza of mind. of peace more little a with used be can email where environment an develop help least at to like would I difficult. be may that time in point this at day, but one needed longer no were measures anti-spam these if best be would it Ibelieve Naturally, society. of foundations the of one into use afew only that tool asupplementary from transforming importance, in grown has email as known system the because be may That on. 10 years unchanged remain to appear as these such organizations of importance the and activities these of purpose the but course, natural its run much pretty has it and forever, itself sustain can that like agroup way no is there Still, time. this all avolunteer as acted has it with involved everyone and organization, aformal as up set not was JEAG reason, that For protracted. so be would spam of problem the think I didn’t first. at long so last to expect not Idid activity another was This then. since passed have 10 years organization, predecessor measure activities would still be ongoing a decade later. We launched JEAG* We launched later. adecade ongoing be still would activities measure anti-spam our that inkling no Ihad ago, 10 years together came organizations private and agencies administrative When me. including conferences, most the in part taken have who members three the by given were speeches and opening, the at presented was agenda original the anniversary, 10th the To commemorate Meeting. Founding initial the in part Itook where place same the USA, 2014 Boston, in October in Last year, in October 2014, the 10th annual conference of the London Action Plan (LAP* Plan Action London the of conference annual 10th the 2014, October year, in Last 2.4 *10 *9 M out. turned it how of approval their voiced also participants and success, in ended conference 10 Tokyo LAP the contributors, many of efforts the to Thanks ASPC. the of arepresentative as date, to Japan in out carried activities measure anti-spam the on apresentation gave Ialso conference LAP the During well. as attend to public general the encouraging of aim the with venue, same the at Conference Anti-Spam Japan’s Association Internet the held and hall, exhibition adjoining an at exhibition apanel together We put conference. 10 Tokyo LAP the for prepare to acommittee formed to Ibelong that (ASPC) Council Promotion mail Anti-Spam the conference, milestone this up build Asia. To in held been has it time first the Japan, in place took conference annual 10th the year last but America, North or Europe in held been only have conferences LAP Past members. MIC with together meetings LAP independent in part taken Ihave years few past the for occasion, on meetings joint held previously have we as and of, amember Iam that Author: 3 AAWG, which was established in 2004, also reached its 10-year milestone last year. The 32nd General Meeting was held held was Meeting General 32nd The year. last milestone 10-year its reached also 2004, in established was which AAWG, JEAG: Japan Email Anti-Abuse Group (http://jeag.jp) (in Japanese). (in (http://jeag.jp) Group Anti-Abuse Email Japan JEAG: Plan (http://londonactionplan.org). Action London Conclusion group, as well as chief examiner for the Sender Authentication Technology Workgroup. Additionally, he is a member of Internet Association Association Internet of amember is he Japan’s Additionally, Anti-Spam Measures Committee. Workgroup. Technology Authentication administrative its of Sender the for amember and examiner (ASPC) chief as well Council as group, Promotion mail Anti-Spam the of chairperson acting is He establishment. its since collaboration with external related organizations for securing a comfortable messaging environment. He has been a member of M of amember been has He environment. messaging acomfortable securing for in organizations activities related various in involved external also with is He systems. collaboration communication of development and IIJ the research of the in engaged is He Department Division. Development Product Application the of No.2 Section Development Service the in Engineer aSenior is Mr. Sakuraba Shuji Sakuraba 10 in Japan in 2005, and if you include its its include you if and 2005, in Japan in 9 ), LAP 10 Tokyo was held at Keio Keio at held was 10 Tokyo LAP ), 3 AAWG AAWG 3 AAWG AAWG 33 Messaging Technology 34 Web Traffic Report requested content in response to requests from each client. each from requests to response in content the requested return servers web the and clients, for end front the as act that servers web the on cached are content of types two PCs. for These Streaming) Dynamic (HTTP HDS and devices, mobile for Streaming) Live (HTTP HLS content: of types two generate servers ingest The Protocol). Messaging Time (Real RTMP using IIJ at servers ingest the to it uploads then video, the encodes Corporation Broadcasting Asahi 1). (Figure Koshien Summer of streaming live the for used were servers Web 38 2014, In 2014. 25, August on Koshien 2014Summer the of final the during recorded was Gbps of 108 traffic Peak content. streamed live of receipt the involving most with hits, of numbers large gets Corporation Broadcasting Asahi by up set website special the year Every IIJ provides streaming delivery services for Summer Koshien, which is produced by Asahi Broadcasting Corporation* Broadcasting Asahi by produced is which Koshien, Summer for services delivery streaming provides IIJ 3.1 servers. delivery all of logs the analyzing of results bythe revealed as types, device on based trends access in differences as well as access, of scale the examine we Here requests. 1.9 billion approximately were there and recorded, was Gbps of 108 traffic 2014, peak August in Koshien) (Summer Stadium Koshien at held Championship Baseball School High National the of streaming live In 2014 the of Koshien Summer Delivery for Streaming Results Analysis Log on Access Report 3. *1 Refer to Vol.25 of this report (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol25_EN.pdf). report this of Vol.25 to *1 Refer System Delivery for Diagram Conceptual 1: Figure Koshien Stadium Web Traffic Report Traffic Web

Overview of Streaming Delivery of the 2014 the of Delivery Koshien Summer Streaming of Overview IIJ ContentsDeliveryService Viewers Live VideoStreams Asahi BroadcastingCorporation CDN Equipment Ingest Server Live Encoder IIJ Backbone The Internet 1 .

Table 1:  1: Table address. IP unique asingle as counted is it case this in so address, IP same the from access as seen is it NAT, via servers Web to streaming live receive clients multiple When devices. mobile using stream live the viewed actually users many that clear now is it and streaming, live Koshien Summer for mobile applications dedicated providing by devices mobile supported officially Corporation Broadcasting Asahi time first the was This devices. mobile from were (55%) these of half over alittle that found we and addresses, IP unique million 1.3 were There sent. content of amount total the exceeds actually servers Web the from sent data of volume the aresult, As included. also TCP, HTTP, as are IP and such protocols various for headers servers, Web from sent is content When logs. access the in recorded content file segment and playlist of piece each of size file total the is sent content of amount total The earlier. mentioned logs access the in lines of number the matches requests of number total The championship. the of duration entire the over servers Web all for logs access the on based calculated are here shown values The Koshien. 2014 Summer the of streaming live the for access of scale the Table 1indicates future. the in delivery streaming of quality the improve to gained we knowledge the utilize to like We would environment. a production in quality viewing and trends viewing user of state current the understand can we them analyzing by so users, of activities viewing actual to related records of number alarge contain logs access The lines. billion 1.9 around of size massive the at up end logs access these streaming, live Koshien Summer in concentrated is access of amount a large Because server. Web on logs each access in requests of time the with along recorded are files segment and playlist for requests client repeated These playback. perform to repeatedly files segment download and playlist updated acontinually to refer must they means That stream. live a display to another after one files segment short consecutive back play must clients files, video long of playback the Unlike time. of intervals fixed into split is that video contain files segment the while time, in point current the at downloaded be can that files segment of list a contains playlist The repeatedly. files segment and playlist a downloads devices) mobile for application adedicated or PCs, for browser (a client the stream, alive watching While Number ofuniqueIPaddresses(millions) Number ofTCPconnections(hundred millions) Total amountofcontentsent(TB) Total numberofrequests(hundredmillions) Summer Koshien 2014 the of Streaming Live for Access of Scale 531.4 19.73 1.30 2.81 35 Web Traffic Report 36 Web Traffic Report Table 2: Schedule Overview for the 2014 Summer Koshien 2014 Summer the for Overview Schedule 2: Table days. game other for those double than more were hour by numbers request that fact the by demonstrated clearly is final the for requests of number high the and PM, 1:00 from final the was held game only the 25th the On recorded. was hour by requests of number peak the timing, same the at and held, was final the when 25 August on recorded was traffic peak The remarkable. is final the of day the on requests of number The increments. hourly into divided day per hits of number the shows 3 day, Figure each for hits of number the 2showed Figure While hour. by numbers access in changes 3shows Figure Next, streaming. live via watching were week the during event the of broadcast TV the watch to unable were who people because be to thought is beyond 18 and August on Festival Bon the after hits of number the in growth The views. streaming live in adecrease in resulting home, at TV on broadcast Koshien Summer the watching were and vacation summer their took people many period this During 15. August 13 and August between fell that Festival Bon the is 18 August before numbers access lower the for reason plausible One higher. much were they days five following the for while overall, lower was hits of number 18, the August to Prior varies. numbers access daily in trend 18, the August after and day. Before per hits of number the indicates graph bar day. This by hits of number the in changes 2 shows Figure hour. and day by requests of number the on based championship the during numbers access in changes at look first will we pattern, this followed 2014 whether examine final. To and semifinals the to progresses championship the as increase to tend numbers client Usually, 2). (Table 23 August on day arest including (Mon), 25 August and 11 (Mon) August between held was it so rain, to due days two for postponed was Koshien 2014 Summer The 3.2 Figure 3: Changes in the Number of Hits by Hour by Hits of Number the in Changes 3: Figure August 25(Mon) August 24(Sun) August 23(Sat) August 22(Fri) August 20(Wed)-21(Thu) August 15(Fri)-19(Tue) August 11(Mon)-14(Thu) Number of hourly accesses Dates (millions) 10 20 30 40 50 60 80 90 70

Mon 0 11 Changes in Access Numbers by Day Hour Numbers and Access in Changes Tue 12 Wed 13 Thu 14 Final Semifinals Rest day Quarterfinals Game 3 on August15only) Game 2(Game1forthefirstgame Game 1 Game Summary Fri 15 Sat 16 Sun 17 Date fromAug11to25,2014 Mon 18 Figure 2: Changes in the Number of Hits by Day by Hits of Number the in Changes 2: Figure Number of daily accesses Tue

19 (millions) 100 150 200 250 300 50 0 Mon 11 Wed 20 Tue 12 Wed 13 Thu Thu 21 14 Fri 15 Date fromAug11to25,2014 Sat 16 Fri 22 Sun 17 Mon 18 Sat 23 Tue 19 Wed 20 Thu 21 Sun 24 Fri 22 Sat 23 Mon 25 Sun 24 Mon 25 school commute period. After office hours began, users appeared to shift to viewing from PCs. from viewing to shift to appeared users began, hours office After period. commute school and work the during devices mobile on Koshien Summer of streaming live the viewed users many that suggest results These 30%. around fluctuating continued and 40%, below fell value median the am 10:00 After numbers. access the of half for accounted devices mobile that indicating followed, that timeslot am 9:00 the in 50% was value median The was. devices mobile from access high how showing 71.8%, was timeslot am 8:00 the for value median The distribution. the of median the shows boxes the in line red The respectively. percentile, 25th and percentile 75th the indicate graph the in boxes blue the of parts lower and upper The period. day eight the over hour each for ratios access aggregating of results the indicating plot abox 4shows Figure hour. by devices mobile from access of proportion the calculated we this from and pm, 6:00 am and 8:00 between hour each for device by requests of number the identified we periods, these for logs access the Using weekend. the on fell days two remaining the and weekdays, were six days, eight these day. Of of time same the around place took games where days target could we so 13 -22), -14,20 16 -18, and (August am 8:00 from held were games which in days eight selected we reason, this For change. also will patterns viewing user that likely more is it different, are times start and games of numbers the If games. for time start the as well as day each held games of number the in variance some was there championship, the During Summer Koshien. of streaming live the for device on based times viewing in differences were there if see us Let school. or work to commute people when day of times the during expected is usage device mobile higher that is mind to comes that thing first The usage. device in differences of because smartphones as such devices mobile and PCs for vary times viewing that thought is It 3.3.1 length. viewing and time viewing the on focus we Here devices. mobile and PCs on activities viewing the between differences examine also will we devices, mobile for games entire streaming live of trial first the was this Because 3.3 Figure Hourly 4: Mobile Ratios Device Access the in recorded not are identifiers viewing and user However, lengths. their compare and logs, access the from for view each sequences request extract to necessary is it devices, mobile and PCs on viewing of lengths the between comparison For is possible. devices mobile from viewing extended where point the approaching are we result, As a Wi-Fi. to offloading LTEto and due increased has environments network mobile to available bandwidth the and tablets, to addition in screens large with smartphones now are there However, mobile. while bandwidth network of lack the and devices, mobile of size screen small the as such reasons, of number a for difficult was move the on video streaming of viewing prolonged past, the In vary. length will viewing that conceivable also is It devices. mobile and PCs between differs that aspect only the isn’t time viewing The 3.3.2 Propotion of hourly accesses from mobile (request count based) 0.2 0.4 0.6 0.8 1.0 0.0

Differences in Viewing Time Viewing in Differences Differences in Viewing Length Differences in Viewing Activities by Device Activities Viewing in Differences 8 9 10 11 Hour from8am.to6pm. 12 13 14 15 16 17 18 not be appropriate to count places where the number of of number the where places count to appropriate be not would it because numbers, segment consecutive more or five with places to research our limited We files. segment consecutive of numbers these compared we this, After sequence. arequest in numbers segment consecutive more or five were there where places identified we then requests, file segment the only extracted we type, device and address IP client by classified logs access from Specifically, numbers. file segment consecutive of length the comparing by devices mobile and PCs between length viewing in trends on light shed to decided we alternative an as Consequently, logs. access

37 Web Traffic Report 38 Web Traffic Report Figure 5:  5: Figure almost was clients device mobile of number the case, the wasn’t this where days on Even days. game all almost on clients PC of number the exceed clients device mobile of number the that see can we 6, Figure in clients of number the at looking First, trend. different a indicates each but day-to-day, devices mobile and PCs compare figures two The them. from hits of number the in changes daily 7shows Figure while devices, mobile and PCs for clients of number the in changes daily 6shows Figure hits. and clients of number the on based further, abit methods usage device mobile and PC between differences into look we Here devices. mobile and PCs for length viewing and time viewing in differences examined we section, previous the In 3.4 than on mobile devices. PCs on longer being length viewing to point also results These 10 minutes. around was time viewing the devices mobile for while minutes, 20 about was time viewing PCs on time, viewing of measurement client-side on based Furthermore, devices. mobile on than PCs on longer be to tends length viewing that demonstrate results These devices. mobile for those than longer times 2.5 are PCs for those that see can we values median comparing Additionally, devices. mobile for those as long as twice around are PCs for those devices, mobile and PCs on files segment consecutive of number the Comparing devices. mobile and PCs on files segment consecutive of number the for distribution frequency cumulative the 5 shows Figure user. each of time viewing the indicate not does files segment of number the that clear it make should we this, like method of a use the to Due viewing. consider to small too was files segment Figure 6: Comparison of Daily Client Numbers by Device by Numbers Client Daily of Comparison 6: Figure Number of daily users CDF 0.2 (thousands) 0.4 0.6 0.8 1.0 0.0 100 150 200 50

0 Comparison of Client Numbers and Access Numbers by Device Numbers Access and Numbers Client of Comparison Mon 11 Distribution by Device Type Device by Distribution Files Segment Consecutive of Number PC 10 Tue 12 1 Wed 13 Thu 14 Mobile Number ofconsecutivesegmentfiles Fri 15 Date fromAug11to25,2014 Sat 16 Sun 17 Mon 18 10 Tue 19 2 Wed 20 Thu 21 Fri 22 Sat 23 Sun Mobile PC 24 Mon 25 10 3 Figure 7: Comparison of Daily Access Numbers by Device by Numbers Access Daily of Comparison 7: Figure on PCs and mobile devices. mobile and PCs on client per hits of number the in differences the by explained be can This other. the in PCs and case, one in numbers high had devices mobile devices, mobile and PCs for hits and clients of number the compare we when see, can you As days. game all on devices mobile from those exceeded PCs from hits of number the that 7 shows Figure Meanwhile, PC. for numbers the with par on Number of daily accesses (millions) 100 150 200 250 50 0 Mon 11 PC Tue 12 Wed 13 Thu 14 Mobile Fri 15 Date fromAug11to25,2014 Sat 16 Sun 17 Mon 18 Tue 19 Wed 20 Thu 21 Fri 22 Sat 23 Sun 24 Mon 25 surveys and analysis like this in the future, to help improve the quality of streaming delivery services. delivery streaming of quality the improve help to future, the in this like analysis and surveys performing continue We will viewing. while behavior client including quality, viewing to regard with here used logs access the on based analysis and surveys conducting also are we time, this them discuss to opportunity the have not did we Although experienced. quality viewing the understand to service actual of course the during trends usage device mobile analyze to crucial it consider we future, the in accelerate to set is devices mobile from streaming viewing toward trend the Because viewers. PC than periods shorter for watch viewers device mobile that fact the and school, and work to commute people when time the during devices mobile use viewers of number large aparticularly that fact the include Examples devices. mobile and PCs between trends viewing in differences some revealed results analysis the and delivery, streaming via devices mobile to games entire streaming live at attempt first our was This mobileand devices. PCs for trends access the in differences identified and access, of size and scale the in changes seen have we servers, delivery all for logs access on based Koshien 2014 Summer the for streaming live into investigation our of results the From 3.5 7. Figure in PCs for those than lower are devices mobile for hits of number the 6, Figure abovementioned the in PCs for those than higher are devices mobile for clients of number the when even that, comprehend can we devices, mobiles and PCs on client each for numbers access in difference the of extent the understanding By PC. on that aquarter about only is devices mobile from access meaning client, per 158 around is average the devices mobile for while client, 610 per around is PCs for average 10. The after just from diverges each for distribution number access the see can we 8, Figure in devices mobile and PCs for hits of distribution the Comparing day. full the almost for streaming video of playback continued clients some small, is ratio the although that suggests This drawn. is line green the where 5,000 1.0 around on converge both devices mobile and PCs 8, Figure in Meanwhile, downloaded. be would files segment 4,500 of atotal viewed, were streaming of 10 hours all if and cases, longer in aday 10 hours over for place took Games devices. mobile and PCs on client per requests daily for distribution frequency cumulative the 8shows Figure Figure 8:  8: Figure Author: CDF 0.2 0.4 0.6 0.8 1.0 Conclusion 0 10 0 by Device by Client Each for Distribution Number Access Ms. Ninomiya is a researcher at the Research Laboratory of the IIJ Innovation Institute. She is involved in research into Web traffic. Web into research in involved is She Institute. Innovation IIJ the of Laboratory Research the at aresearcher is Ninomiya Ms. Megumi Ninomiya Mobile PC 10 1 Number ofrequestsperuser 10 2 10 3 10 4 39 Web Traffic Report infrastructure. efforts to expandtheInternetusedasasocial Internet backbone operation,andismaking accumulated throughservicedevelopmentand sharesknowledge In addition,IIJactively offices andfinancialinstitutions. includingthegovernment andotherpublic users outsourcing services,etc.)tohigh-endbusiness Internet access,systemsintegration,and high-quality systemenvironments (including infrastructures, andprovides comprehensive Internet backbones inJapan, managesInternet IIJ currently operatesoneofthelargest use oftheInternetinJapan. under theconceptofpromotingwidespread relatedtotheInternet, development activities whohadbeeninvolvedengineers inresearch and IIJ was established in1992, mainly by a group of About Internet Initiative Japan Inc. (IIJ) Internet Initiative Japan Inc. Email: [email protected]: http://www.iij.ad.jp/en/ Address: IidabashiGrand Bloom,2-10-2 Fujimi,Tokyo Chiyoda-ku, 102-0071, Japan ©2008-2015 Internet Initiative Japan Inc. All rights reserved. rights All Inc. Japan Initiative Internet ©2008-2015 document. this in information the of usefulness and accuracy the warrant not does IIJ to, attention careful paid is document this of content the Although permission. written prior IIJ’s without document this of apart or whole otherwise or of transmission public the make or modify, reproduce, to prohibited You are provisions. treaty and Japan of Law Copyright the under protected is document the and (“IIJ”) Inc. Japan Initiative Internet in remains document this of copyright The IIJ-MKTG020YA-1506CP-00001PR

Vol.27 May 2015